pf.conf + nfs

[xJohansenx]

Hi,

I've managed to configure nfs as per the instruction on www.openbsd.org and it works great as long as pf is deactivated. Consequently, could someone review my rules? The problem is probably obvious but I just can't figure it out! Thanks.

Code:

##################################
# PF.CONF                        #
##################################
# MACROS
ext_if="xl0"
tcp_services="{ 21, 22, 53, 80, 111, 443, 2049, 9000 }"
udp_services="{ 53, 111, 123, 2049 }"
 
# TABLES
table <sshguard> persist
table <spamhaus_drop> persist
 
# OPTIONS
set block-policy return
set loginterface $ext_if
set skip on lo
 
# FTP PROXY RULES
anchor "ftp-proxy/*"
 
pass in quick on $ext_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021
 
# MATCH RULES
match in all scrub (no-df)
match out on egress inet from !($ext_if:network) to any nat-to ($ext_if:0)
 
# FILTER RULES
 
# SPOOF
antispoof quick for { lo $ext_if }
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
 
# BLOCK
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
block drop log quick from <spamhaus_drop> to any
block drop log quick from any to <spamhaus_drop>
block return log all
 
# PASS
pass out quick
 
pass in on egress inet proto tcp from any to (egress) \
    port $tcp_services
 
pass in on egress inet proto udp from any to (egress) \
    port $udp_services
 
# pass in on $ext_if