[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NFS and PF problem (Linux client)

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: NFS and PF problem (Linux client)
From: "Shawn D'Alimonte" <shawnd_(_at_)_mycybernet_(_dot_)_net>
Date: Sun, 2 Feb 2003 11:01:31 -0500

I have an OpenBSD server/DSL Firewall that I am having trouble using 
NFS on.  I am trying to share /var/www/htdocs to a Linux workstation to 
ease webpage updates.  Now when ever I try to access it the client just 
locks up solid.  Often reads will nwork, but trying to modify or copy a 
file will cause a lockup.  Once it has locked any further accesses from 
other shells will also instantly lock.

The server is a SparcCLASSIC running OpenBSD 3.2 with all errata patchs 
applied.  The only 'unusual' thing I am doing over the 
usual PPPoE setup is that there is only 1 LAN port.  Both PPPoE and the 
local net share the same network (Yes, this works).

The Linux client is running Debian testing, with kernel 2.4.20.

Disabling PF makes NFS start working, but I can't find any PF rules 
that would keep it from working.  I figure rule 4 should let all local 
traffic into the machine.  All later rules only refer to tun0 or NAT.  
Also doesn't 'quick' make it stop processing at that point?

le0 is the local network interface, 192.168.1.11/24
tun0 is the PPPoE interface, dynamic address from PPP

Here are my rules:
# pfctl -s all
@0 scrub in all fragment reassemble
@1 pass out quick on lo0 all
@2 pass in quick on lo0 all
@3 pass out quick on le0 all
@4 pass in quick on le0 all
@5 block in log quick on tun0 inet proto icmp all icmp-type redir
@6 block in log quick on tun0 inet from 255.255.255.255 to any
@7 block in log quick on tun0 inet from 224.0.0.0/3 to any
@8 block in log quick on tun0 inet from 204.152.64.0/23 to any
@9 block in log quick on tun0 inet from 192.0.2.0/24 to any
@10 block in log quick on tun0 inet from 169.254.0.0/16 to any
@11 block in log quick on tun0 inet from 0.0.0.0/8 to any
@12 block in log quick on tun0 inet from 10.0.0.0/8 to any
@13 block in log quick on tun0 inet from 172.16.0.0/12 to any
@14 block in log quick on tun0 inet from 127.0.0.0/8 to any
@15 block in log quick on tun0 inet from 192.168.0.0/16 to any
@16 block out log quick on tun0 inet from any to 255.255.255.255
@17 block out log quick on tun0 inet from any to 224.0.0.0/3
@18 block out log quick on tun0 inet from any to 204.152.64.0/23
@19 block out log quick on tun0 inet from any to 192.0.2.0/24
@20 block out log quick on tun0 inet from any to 169.254.0.0/16
@21 block out log quick on tun0 inet from any to 0.0.0.0/8
@22 block out log quick on tun0 inet from any to 10.0.0.0/8
@23 block out log quick on tun0 inet from any to 172.16.0.0/12
@24 block out log quick on tun0 inet from any to 127.0.0.0/8
@25 block out log quick on tun0 inet from any to 192.168.0.0/16
@26 pass in quick on tun0 inet proto icmp all icmp-type unreach
@27 pass in quick on tun0 inet proto icmp all icmp-type timex
@28 pass in quick on tun0 inet proto icmp all icmp-type echoreq
@29 pass in quick on tun0 inet proto icmp all icmp-type echorep
@30 block in log quick on tun0 inet proto icmp all
@31 pass in quick on tun0 inet proto tcp from any to any port = www 
flags S/SA keep state
@32 pass in quick on tun0 inet proto tcp from any to any port = ssh 
flags S/SA keep state
@33 pass out quick on tun0 inet proto tcp all flags S/SA keep state
@34 pass out quick on tun0 inet proto udp all keep state
@35 pass out quick on tun0 inet proto icmp all keep state
@36 block return-rst in log quick on tun0 inet proto tcp all
@37 block return-icmp in log quick on tun0 inet proto udp all
@38 block in log quick on tun0 all
nat on tun0 inet from 192.168.1.0/24 to any -> 216.75.167.186
rdr on tun0 inet proto tcp from any to any port 6346 -> 192.168.1.10
Status: Enabled for 0 days 00:05:16             Debug: None

State Table                          Total             Rate
  current entries                        0
  searches                             159            0.5/s
  inserts                                1            0.0/s
  removals                              13            0.0/s
Counters
  match                                158            0.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
states     unlimited
frags      hard limit   5000
#

/etc/exports from OpenBSD server:
#       $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
#
# NFS exports Database
# See exports(5) for more information.  Be very careful:  
misconfiguration
# of this file can result in your filesystems being readable by the 
world.
/var/www/htdocs -mapall=www:www -network=192.168.1 -mask=255.255.255.0

fstab entry from Linux client (Also tried wo/ rsize and wsize options):
pebcak:/var/www/htdocs  /www            nfs    
defaults,noauto,user,noatime,rsize=32768,wsize=32768    0       0
-- 
Shawn D'Alimonte  shawnd_(_at_)_mycybernet_(_dot_)_net

Follow-Ups:
- Re: NFS and PF problem (Linux client)
  - From: Arne P. Boettger

Prev by Date: Re: userhandling
Next by Date: Re: NFS and PF problem (Linux client)
Previous by thread: Re: Shadow password files
Next by thread: Re: NFS and PF problem (Linux client)
Index(es):
- Date
- Thread

Visit your host, monkey.org