|
|||
pf.conf + nfs
Hi,
I've managed to configure nfs as per the instruction on www.openbsd.org and it works great as long as pf is deactivated. Consequently, could someone review my rules? The problem is probably obvious but I just can't figure it out! Thanks. Code:
################################## # PF.CONF # ################################## # MACROS ext_if="xl0" tcp_services="{ 21, 22, 53, 80, 111, 443, 2049, 9000 }" udp_services="{ 53, 111, 123, 2049 }" # TABLES table <sshguard> persist table <spamhaus_drop> persist # OPTIONS set block-policy return set loginterface $ext_if set skip on lo # FTP PROXY RULES anchor "ftp-proxy/*" pass in quick on $ext_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 # MATCH RULES match in all scrub (no-df) match out on egress inet from !($ext_if:network) to any nat-to ($ext_if:0) # FILTER RULES # SPOOF antispoof quick for { lo $ext_if } block in from no-route to any block in from urpf-failed to any block in quick on $ext_if from any to 255.255.255.255 # BLOCK block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce" block drop log quick from <spamhaus_drop> to any block drop log quick from any to <spamhaus_drop> block return log all # PASS pass out quick pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in on egress inet proto udp from any to (egress) \ port $udp_services # pass in on $ext_if |
|
|||
Thanks for the response Oko. Yeah, mountd will change port every time is restarted. I guess AFS could be used to achieve the same goal; I'm just trying to mount a nfs filesystem so that i don't have to constantly go from one computer to the next with a usb when i want to share documents amongst them. I guess I could probably achieve the same by using ssh.
|
|
||||
Quote:
|
|
|||
Not sure if it is feasible in your case but you could have a look at Simplyfing complex IPSec or Firewall solutions -- such as NFS -- with gif(4)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
See http://daemonforums.org/showthread.php?t=8709 -- this is an example of using gif(4) to tunnel NFS traffic, so that PF rules could be easily written and the NFS traffic both managed and protected. The example rules are for an IPSec based VPN.
(Disclamer: I've recently changed the infrastructure so I no longer have this implementation in production.) Edit - j65nko posted the same link as I was typing this. Last edited by jggimi; 29th March 2015 at 12:01 AM. Reason: typo, thinko, etc. |
|
|||
Thanks! It's interesting. I have a question with regard to IPSec so I'll post it in the other thread.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf.conf okay? | hitest | OpenBSD Security | 6 | 22nd March 2015 08:25 PM |
Where should I put my config? "rc.conf" or "rc.conf.local"? | fender0107401 | OpenBSD General | 2 | 2nd April 2012 02:53 AM |
Help with pf.conf | A_Sorenby | OpenBSD Security | 14 | 21st June 2011 09:52 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |