fbsd_user schreef:
Post complete content of your rules file for review by people here
on list.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mark Frasa
Sent: Wednesday, January 25, 2006 4:04 AM
To: freebsd-questions@freebsd.org
Subject: IPFW / NFSD
Hello,
I am currently running 1 HTTP server on FreeBSD 6.0
Offcourse, like anyone that likes security, i am running IPFW and
set
the kernel to block by default.
Behind that HTTP server i am running 2 Linux boxes.
The problem is that when i enable the firewall and openup ports from
rpcinfo -p:
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100000 4 local 111 rpcbind
100000 3 local 111 rpcbind
100000 2 local 111 rpcbind
100005 1 udp 668 mountd
100005 3 udp 668 mountd
100005 1 tcp 984 mountd
100005 3 tcp 984 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
I opened up all these ports but i cant do an ls or write to nfs or
whatever.
Then i thought maybe it's trying something local so i added:
$cmd add 00225 allow ip from 1.2.3.4/24 to any keep-state
Even this does not work.
Tcpdump shows me that when i have ipfw open, it only communicates
with
port 2049 and i don't see anything more.
Can anybody help me out here?
Additional info:
{ [EMAIL PROTECTED] } uname -a
FreeBSD arcas 6.0-RELEASE-p1 FreeBSD 6.0-RELEASE-p1 #2: Wed Jan 4
15:45:38 UTC 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ARCAS i386
Mark.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Here is the list:
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
pif="vr0" # public interface name of NIC
# facing the public Internet
secure="ip2.of.this.box"
arcas="ip.of.this.box"
$cmd 00010 allow all from any to any via lo0
$cmd 00015 check-state
$cmd 00100 allow ip from any to any out via $pif keep-state
$cmd 00200 allow tcp from any to $arcas 80 in via $pif
$cmd 00310 allow icmp from any to any in via $pif
# Allow in secure from selected ip's
$cmd 00410 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
$cmd 00411 allow tcp from x.x.x.x/32 to $secure 22 in via $pif keep-state
# Allow in nfs requests on secured ip from own network only
$cmd 00425 allow ip from x.x.x.x/24 to $secure setup keep-state
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
Mark.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
