Discussion:
OpenBSD 4.1 and NFS and PF trouble
(too old to reply)
gentoo1
2007-11-25 09:17:50 UTC
Permalink
Hi guys.

I have a problem with nfs and pf. When PF is on , then nfs not work. I put
the hole for portmap and nfs in pf... but i think that the problem is in
mountd, because mountd every time when I restart the server change his own
port:

#####################################
#rpcinfo -p mars
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 883 mountd
100005 3 udp 883 mountd
100005 1 tcp 767 mountd
100005 3 tcp 767 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
####################################

Sometimes 773 .. 762 ... 995,

Ok . the question is how to set a static ports for mountd? (and then I will
open the firewall (pf) for this port ..for the client machine.)

BR and thanks in advance!
--
View this message in context: http://www.nabble.com/OpenBSD-4.1-and-NFS-and-PF-trouble-tf4869532.html#a13933886
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Theo de Raadt
2007-11-25 09:33:12 UTC
Permalink
Post by gentoo1
I have a problem with nfs and pf. When PF is on , then nfs not work. I put
the hole for portmap and nfs in pf... but i think that the problem is in
mountd, because mountd every time when I restart the server change his own
#####################################
#rpcinfo -p mars
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 883 mountd
100005 3 udp 883 mountd
100005 1 tcp 767 mountd
100005 3 tcp 767 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
####################################
Sometimes 773 .. 762 ... 995,
Ok . the question is how to set a static ports for mountd? (and then I will
open the firewall (pf) for this port ..for the client machine.)
There is no way to do that. We do random port allocation. You could
hand-patch mountd to pick a specific port at startup and bind() to it,
but I would be averse to that going into the tree.

There is a bit of a myth here, I should point out. You can't do NFS
security, or more specifically RPC security, via packet filtering a
the port level. Your file handles are going to be flying all over the
place, and that is a massive problem. NFS is the biggest risk factor
of them all, so why bother blocking anything else? I suppose there
could be very specific reasons, but .. not everything can do
everything.

I did look before at having portmap tell pf which ports it was
allocating, but gave up because (1) it was difficult to do, (2) it
had basically no security benefit, and (3) it would only work on for
pf running _on_ the portmap machine...
Brian Morton
2007-11-25 15:05:52 UTC
Permalink
Post by gentoo1
Hi guys.
I have a problem with nfs and pf. When PF is on , then nfs not work. I put
the hole for portmap and nfs in pf... but i think that the problem is in
mountd, because mountd every time when I restart the server change his own
#####################################
#rpcinfo -p mars
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 883 mountd
100005 3 udp 883 mountd
100005 1 tcp 767 mountd
100005 3 tcp 767 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
####################################
Sometimes 773 .. 762 ... 995,
Ok . the question is how to set a static ports for mountd? (and then I will
open the firewall (pf) for this port ..for the client machine.)
BR and thanks in advance!
Also, don't forget to set no-df on your NFS rule. NFS sometimes
fragments packets and sets the DF flag. PF will drop these packets if
they are set in such a way unless you specify no-df in your rule.
gentoo1
2007-11-25 16:28:25 UTC
Permalink
Post by Brian Morton
Post by gentoo1
Hi guys.
I have a problem with nfs and pf. When PF is on , then nfs not work. I put
the hole for portmap and nfs in pf... but i think that the problem is in
mountd, because mountd every time when I restart the server change his
own
#####################################
#rpcinfo -p mars
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 883 mountd
100005 3 udp 883 mountd
100005 1 tcp 767 mountd
100005 3 tcp 767 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
####################################
Sometimes 773 .. 762 ... 995,
Ok . the question is how to set a static ports for mountd? (and then I will
open the firewall (pf) for this port ..for the client machine.)
BR and thanks in advance!
Also, don't forget to set no-df on your NFS rule. NFS sometimes
fragments packets and sets the DF flag. PF will drop these packets if
they are set in such a way unless you specify no-df in your rule.
Hi Brian,
The problem is not that. I use "no-df" in my pf.
P"hanks for your opinion

Kind Regards

--
View this message in context:
http://www.nabble.com/OpenBSD-4.1---NFS-and-PF-trouble-tf4869532.html#a139371
03
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Loading...