I have been trying for a while to get the IP Filter rules just right for
NFS with mixed results.
Does anyone have a template of how this is supposed to work and if I
need to tweak parameters in the kernel, per rule using this "age x/y"
option (I don't know what x/y represent) and if my rule rules are
correct for fragmented and non-fragmented packets, etc.
I currently have the following rpcinfo from the NFS Server (a NetApp
Filer) which stays static upon reboots, etc so no worries about that:
[EMAIL PROTECTED] rpcinfo -p idc-na1-svc
program vers proto port service
100024 1 tcp 4047 status
100024 1 udp 4047 status
100011 1 udp 4049 rquotad
100021 4 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 1 udp 4045 nlockmgr
100005 3 tcp 4046 mountd
100005 2 tcp 4046 mountd
100005 1 tcp 4046 mountd
100005 3 udp 4046 mountd
100005 2 udp 4046 mountd
100005 1 udp 4046 mountd
100003 4 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 udp 2049 nfs
100003 2 udp 2049 nfs
100000 2 tcp 111 rpcbind
100000 2 udp 111 rpcbind
[EMAIL PROTECTED]
I currently have the following (see below) inbound and outbound rules...
-- 10.206.6.6 is the gate1 server noted above (nfs client)
-- 10.206.6.5 is the NetApp Filer (nfs server)
-- 10.206.9.5 is the NetApp Filer (nfs server)
-- 10.207.x.x is just an alternate site configuration
Do I have the UDP packets matching correctly with the fragmented packet
rules?
Do I need to set my global timers for UDP/ICMP/TCP packets up to be
longer than the defaults? On a individual rule basis using this "age"
parameter (if I knew what x/y meant for age)???
Do I need separate rules for with fragments and without? What is
fragbody and fragtail used for and can that help me? I don't see any
mention of it on the man pages, etc.
For some reason the NFS client (gate1) is trying to connect to the
NetApp NFS server on an alternate IP address (10.206.9.5) which is
another VLAN that the NFS Filer is on.
We recently turned on Virtual Interfaces (trunk) and VLAN configuration
on the NetApp so that it is seen as 10.206.6.5, 10.206.7.5, 10.206.8.5,
10.206.9.5, 10.206.10.5 and 10.206.11.5
The only thing I can think that would have caused this "10.206.9.5"
binding of rpc is that I set the hosts table entry on the NetApp filer
to have 'idc-na1' as 10.206.9.5 and the service bound to that IP (of the
6 IPs on the server).... but I needed to bind idc-na1 (hostname) to
something or should that have been 127.0.0.1 ???
#-----------------------------------------------------------------------
-----------------------------
############
#10.206.6.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.6/32 port =
111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.6/32 port =
111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.6/32 port =
2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.6/32 port =
2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.6/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.6/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.6/32 port =
4049 keep state keep frags group 101
#allow fragmentation (NFS) - TX NetApp
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.6/32
with frag group 101
############
#10.206.9.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass in quick on bge1 proto tcp from
10.206.9.5/32 to 10.206.6.6/32 port =
111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.9.5/32 to 10.206.6.6/32 port =
111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.206.9.5/32 to 10.206.6.6/32 port =
2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.9.5/32 to 10.206.6.6/32 port =
2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.206.9.5/32 to 10.206.6.6/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.9.5/32 to 10.206.6.6/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.206.9.5/32 to 10.206.6.6/32 port =
4049 keep state keep frags group 101
#allow fragmentation (NFS) - TX NetApp
pass in quick on bge1 proto udp from
10.206.9.5/32 to 10.206.6.6/32
with frag group 101
############
#10.207.9.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass in quick on bge1 proto tcp from
10.207.9.5/32 to 10.206.6.6/32 port =
111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.9.5/32 to 10.206.6.6/32 port =
111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.207.9.5/32 to 10.206.6.6/32 port =
2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.9.5/32 to 10.206.6.6/32 port =
2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.207.9.5/32 to 10.206.6.6/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.9.5/32 to 10.206.6.6/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.207.9.5/32 to 10.206.6.6/32 port =
4049 keep state keep frags group 101
#allow fragmentation (NFS) - TJ NetApp
pass in quick on bge1 proto udp from
10.207.9.5/32 to 10.206.6.6/32
with frag group 101
############
#10.207.6.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.6/32 port =
111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.6/32 port =
111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.6/32 port =
2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.6/32 port =
2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.6/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.6/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.6/32 port =
4049 keep state keep frags group 101
#allow fragmentation (NFS) - TJ NetApp
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.6/32
with frag group 101
#-----------------------------------------------------------------------
-----------------------------
#-----------------------------------------------------------------------
-----------------------------
############
#10.206.9.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.9.5/32 port =
111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.9.5/32 port =
111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.9.5/32 port =
2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.9.5/32 port =
2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.9.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.9.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.9.5/32 port =
4049 keep state keep frags group 102
#allow fragmentation (NFS) - TX NetApp
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.9.5/32
with frag group 102
############
#10.206.6.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.6.5/32 port =
111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.6.5/32 port =
111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.6.5/32 port =
2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.6.5/32 port =
2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.206.6.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.6.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.6.5/32 port =
4049 keep state keep frags group 102
#allow fragmentation (NFS) - TX NetApp
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.206.6.5/32
with frag group 102
############
#10.207.9.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.9.5/32 port =
111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.9.5/32 port =
111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.9.5/32 port =
2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.9.5/32 port =
2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.9.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.9.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.9.5/32 port =
4049 keep state keep frags group 102
#allow fragmentation (NFS) - TJ NetApp
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.9.5/32
with frag group 102
############
#10.207.6.5
############
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.6.5/32 port =
111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.6.5/32 port =
111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.6.5/32 port =
2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.6.5/32 port =
2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.6/32 to 10.207.6.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.6.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.6.5/32 port =
4049 keep state keep frags group 102
#allow fragmentation (NFS) - TJ NetApp
pass out quick on bge1 proto udp from
10.206.6.6/32 to 10.207.6.5/32
with frag group 102
#-----------------------------------------------------------------------
-----------------------------
Yet my logs are filling up with requests
-- to send to 10.206.9.5 on the portmapper (111) for outbound requests
-- return packets from 10.206.6.5 on the portmapper (111) inbound for
what appears to be original outbound packets
Nov 24 22:34:02 gate1 ipmon[163]: [ID 702911 local0.warning]
22:34:02.034940 bge1 @102:39 b 10.206.6.6,61252 -> 10.206.9.5,111 PR udp
len 20 84 OUT
Nov 24 22:34:32 gate1 ipmon[163]: [ID 702911 local0.warning]
22:34:32.039010 bge1 @102:39 b 10.206.6.6,61252 -> 10.206.9.5,111 PR udp
len 20 84 OUT
Nov 24 22:40:17 gate1 ipmon[163]: [ID 702911 local0.warning]
22:40:17.016350 bge1 @101:48 b 10.206.6.5,111 -> 10.206.6.6,61282 PR udp
len 20 56 IN
Nov 24 22:40:32 gate1 ipmon[163]: [ID 702911 local0.warning]
22:40:32.019775 bge1 @101:48 b 10.206.6.5,111 -> 10.206.6.6,61282 PR udp
len 20 56 IN
Nov 24 22:41:02 gate1 ipmon[163]: [ID 702911 local0.warning]
22:41:02.029844 bge1 @101:48 b 10.206.6.5,111 -> 10.206.6.6,61282 PR udp
len 20 56 IN
