Remote file mount won't work when pf is enable

IPFW, PF, IPF (but not limited) related discussion

Remote file mount won't work when pf is enable

Postby hollis2507 » 09 Dec 2009, 11:00

Hi all,

I have a server and a client. I have set up an NFS server on the server and i can successfully connect to my backup file from my client machine.

My issue is that this will only work with the firewall off. When i turn the firewall on i get
RPCPROG_NFS: RPC: Port mapper failure - RPC: Timed out


I'm not very experienced with the firewalls within BSD. I've tried enabling various ports within the pf.conf but i still have the same issue.

Is there any configuration changes i can make in order to allow this through?

Thanks in advance
hollis2507
Junior Member
 
Posts: 17
Joined: 16 Sep 2009, 09:56
Location: Reading, UK

Postby graudeejs » 09 Dec 2009, 11:05

Code: Select all
pass on $ext_if proto { tpc, udp } from any to any port { nfsd, lockd }


i think should work
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby SirDice » 09 Dec 2009, 11:19

NFS is somewhat tricky to firewall. RPC uses different ports each time.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16161
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby graudeejs » 09 Dec 2009, 11:34

In that case you can allow all ports form known to be "secure" hots... [similar to what i did with ftp :D]
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby hollis2507 » 09 Dec 2009, 11:46

Thanks for the replies.

I tried

pass on $ext_if proto { tpc, udp } from any to any port { nfsd, lockd }


I got the same error message i quoted in my first post.

You say i can allow all ports from known to be "secure" hosts?

How do i go about doing this?
hollis2507
Junior Member
 
Posts: 17
Joined: 16 Sep 2009, 09:56
Location: Reading, UK

Postby graudeejs » 09 Dec 2009, 11:53

Well... this is probably not good... but for desktop...
I created list of hosts ip addresses.
In my case I created sh script that extracted ftp addresses from ports tree [I need ftp to install ports :) ]

Code: Select all
table <ftp_ports_ip_w_list> const file "/etc/ftp_ports_wlist"
...
...
# enable passive ftp
pass out log on $ext_if inet proto tcp from { $ext_ip, <jail_ip_list> } port >1023 to <ftp_ports_ip_w_list> port { ftp, >1023 } group wheel keep state
pass out log on $ext_if inet proto tcp from { $ext_ip, <jail_ip_list> } port >1023 to <ftp_ip_w_list> port { ftp, >1023 } group { users, wheel } keep state

this is from my [file]pf.conf[/file]
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby dennylin93 » 09 Dec 2009, 12:56

SirDice wrote:NFS is somewhat tricky to firewall. RPC uses different ports each time.


This might help: [file]nfs_reserved_port_only="YES"[/file]?
dennylin93
Member
 
Posts: 784
Joined: 11 Dec 2008, 13:13

Postby hollis2507 » 09 Dec 2009, 13:37

dennylin93 wrote:This might help: [file]nfs_reserved_port_only="YES"[/file]?


Where does this go? rc.conf?
hollis2507
Junior Member
 
Posts: 17
Joined: 16 Sep 2009, 09:56
Location: Reading, UK

Postby graudeejs » 09 Dec 2009, 13:42

from [man]rc.conf[/man]:
Code: Select all
     nfs_reserved_port_only
                 (bool) If set to “YES”, provide NFS services only on a secure
                 port.



answer: yes
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby phoenix » 09 Dec 2009, 16:16

If you control the NFS server, then you can tell all of the NFS utilities to listen to specific ports (search for _flags in [file]/etc/defaults/rc.conf[/file] and look at nfs, rpcbind, lockd, statd, and so on).

Then you only have to allow TCP/UDP traffic through on those ports.

For example, on one NFS server, we use the following:
Code: Select all
mountd_enable="yes"                     # Run mountd (or NO).
mountd_flags="-r -h 192.168.0.186 -p 32000"    # Flags to mountd (if NFS server enabled)
rpc_lockd_enable="yes"                  # Run NFS rpc.lockd needed for client/server.
rpc_lockd_flags="-h 192.168.0.186"     # Flags to rpc.lockd (if enabled).
rpc_statd_enable="yes"                  # Run NFS rpc.statd needed for client/server.
rpc_statd_flags="-p 32001"              # Flags to rpc.statd (if enabled).
rpcbind_enable="yes"                    # Run the portmapper service (YES/NO).
rpcbind_flags="-h 192.168.0.186"
nfs_server_enable="yes"                 # This host is an NFS server (or NO).
nfs_server_flags="-u -t -n 4 -h 192.168.0.186"         # Flags to nfsd (if enabled).
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
User avatar
phoenix
MFC'd
 
Posts: 3349
Joined: 17 Nov 2008, 05:43
Location: Kamloops, BC, Canada

Postby graudeejs » 09 Dec 2009, 16:30

There's another option... [this is how I solved pf+torrents problem]
create jail with aliased IP run NFS in jail....
allow all traffic to/from that IP....

I wonder what others think about this [perhaps it's totally bad]
User avatar
graudeejs
Style(9) Addict
 
Posts: 4591
Joined: 16 Nov 2008, 23:23
Location: Riga, Latvia

Postby SirDice » 09 Dec 2009, 16:56

killasmurf86 wrote:There's another option... [this is how I solved pf+torrents problem]
create jail with aliased IP run NFS in jail....
allow all traffic to/from that IP....

I wonder what others think about this [perhaps it's totally bad]


That's not entirely going to work. IIRC it's mountd that you can't bind to a specific address. Which means it will listen on all addresses, including the ones belonging to other jails and the host itself.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16161
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby DutchDaemon » 09 Dec 2009, 21:25

I think allowing [FILE]{sunrpc nfsd-status nfsd-keepalive nfsd lockd }[/FILE] should be enough. I normally use [FILE]{sunrpc nfsd lockd }[/FILE], which appears to be enough. Note two other things:

1. use [FILE]no-df[/FILE] ([man=5]pf.conf[/man]) on nfs traffic
2. make sure your nfs host/client can resolve one another correctly (DNS or /etc/hosts)
User avatar
DutchDaemon
Old Fart
 
Posts: 10463
Joined: 16 Nov 2008, 20:17
Location: The Netherlands

Postby phoenix » 09 Dec 2009, 23:52

SirDice wrote:That's not entirely going to work. IIRC it's mountd that you can't bind to a specific address. Which means it will listen on all addresses, including the ones belonging to other jails and the host itself.


See my post above. You can set everything to it's own IP, and even lock in the port that most of the NFS-related services can use.
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
User avatar
phoenix
MFC'd
 
Posts: 3349
Joined: 17 Nov 2008, 05:43
Location: Kamloops, BC, Canada

Postby J65nko » 10 Dec 2009, 00:55

You see which packets are being blocked with
Code: Select all
block log all


The blocked packets will show up on the pflog0 device. Run tcpdump on pflog0 to see the blocked stuff.

BTW If your firewall is a corporate firewall, then the general consensus is to not allow NFS through the firewall. NFS = No File Security ;)
J65nko
Member
 
Posts: 422
Joined: 17 Nov 2008, 00:06
Location: Budel, Netherlands

Postby johnblue » 17 Dec 2009, 02:59

J65nko wrote:Run tcpdump on pflog0 to see the blocked stuff.
Agreed. Not that I am an expert by any means, but to get a quick snap shot of what is going on I like to use:

tcpdump -n -i pflog0

There are additional switches that you can add to the command and then you can it pipe to grep or whatever you want to do with the output.
johnblue
Member
 
Posts: 224
Joined: 28 Jan 2009, 08:27
Location: O-o-o-o-o-o-o-klahoma

Postby honk » 18 Dec 2009, 02:41

rc.conf on the nfs-server:
Code: Select all
## NFS-Server
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_flags="-p 789"



pf.conf on the firewall:
Code: Select all
pass log quick proto {udp tcp} from 172.16.1.0/24 to 172.16.3.2 port {111 789 2049} keep state


And then mount the nfs with tcp as transport protocol:
Code: Select all
mount_nfs -o tcp,rw 172.16.3.2:/data /mnt


Works for me (nfs3).

To explain:
At first the nfs-client contacts the portmapper on the server. The portmapper always runs on port 111 udp and tcp (actually only udp is used). The Client then asks the portmapper on which port the mountd is listening. This port is normally dynamically chosen, but you can force mountd to register always on a specific port and this step is important if you have a (stupid) firewall, because you have to allow this port in the ruleset too. Therefore you have to configure your mountd on the server to always use a specific port (in my case 789). As the next step, the client asks the portmapper for the nfsd. Nfsd's port could be also dynamically chosen, but usually only port 2049 is used (tcp or udp, depends on how you mount!). So for the minimal setup you need at least 111, one port for mountd (789) and one port for nfsd (2049). And if you mount_nfs with tcp you will become less trouble with dropped packets (because of congestion on fast links and/or packet drops on the firewall because of fragmentation).

Hope that helps!
cheers,
honk
honk
Member
 
Posts: 134
Joined: 03 Dec 2008, 00:09


Return to Firewalls

Who is online

Users browsing this forum: No registered users and 0 guests