On Thu, 18 Oct 2012 19:11:37 +0200
"Sebastian Reitenbach" <sebas...@l00-bugdead-prods.de> wrote:
> getting NFS through a firewall is not that trivial with mountd binding to a
> random port each time it starts.
Hi,
here is how I solved it after my proposal for a fixed-port-option was
rejected:
/etc/rc.local:
[...]
# register (random) rpc ports to pf anchor
rpcinfo -p localhost \
|awk \
'
/tcp/ \
{printf "pass in proto %s to port %d\n", $3, $4}
/udp/ \
{printf "pass in proto %s to port %d\n", $3, $4; \
printf "pass out proto %s from port %d\n", $3, $4}
' \
|pfctl -a rpc -f -
[...]
/etc/pf.conf:
# NFS
# rpc daemons use more or less random ports; they will be put into this anchor
anchor "rpc" on {tun0 lo0} from <nfs> to (self)
anchor "rpc" on {tun0 lo0} from (self) to <nfs>
# local daemons need access to portmap before the rpc anchor is populated
pass in on lo0 inet proto {udp tcp} from localhost to localhost port portmap
