[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NFS and PF problem (Linux client)
Rule 0 is probably screwing you up. Linux does not like scrub.
/marco
> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]
> On Behalf Of Shawn D'Alimonte
> Sent: Sunday, February 02, 2003 10:02
> To: misc@openbsd.org
> Subject: NFS and PF problem (Linux client)
>
>
> I have an OpenBSD server/DSL Firewall that I am having trouble using
> NFS on. I am trying to share /var/www/htdocs to a Linux
> workstation to
> ease webpage updates. Now when ever I try to access it the
> client just
> locks up solid. Often reads will nwork, but trying to modify
> or copy a
> file will cause a lockup. Once it has locked any further
> accesses from
> other shells will also instantly lock.
>
> The server is a SparcCLASSIC running OpenBSD 3.2 with all
> errata patchs
> applied. The only 'unusual' thing I am doing over the
> usual PPPoE setup is that there is only 1 LAN port. Both
> PPPoE and the
> local net share the same network (Yes, this works).
>
> The Linux client is running Debian testing, with kernel 2.4.20.
>
> Disabling PF makes NFS start working, but I can't find any PF rules
> that would keep it from working. I figure rule 4 should let
> all local
> traffic into the machine. All later rules only refer to tun0
> or NAT.
> Also doesn't 'quick' make it stop processing at that point?
>
> le0 is the local network interface, 192.168.1.11/24
> tun0 is the PPPoE interface, dynamic address from PPP
>
> Here are my rules:
> # pfctl -s all
> @0 scrub in all fragment reassemble
> @1 pass out quick on lo0 all
> @2 pass in quick on lo0 all
> @3 pass out quick on le0 all
> @4 pass in quick on le0 all
> @5 block in log quick on tun0 inet proto icmp all icmp-type
> redir @6 block in log quick on tun0 inet from 255.255.255.255
> to any @7 block in log quick on tun0 inet from 224.0.0.0/3 to
> any @8 block in log quick on tun0 inet from 204.152.64.0/23
> to any @9 block in log quick on tun0 inet from 192.0.2.0/24
> to any @10 block in log quick on tun0 inet from
> 169.254.0.0/16 to any @11 block in log quick on tun0 inet
> from 0.0.0.0/8 to any @12 block in log quick on tun0 inet
> from 10.0.0.0/8 to any @13 block in log quick on tun0 inet
> from 172.16.0.0/12 to any @14 block in log quick on tun0 inet
> from 127.0.0.0/8 to any @15 block in log quick on tun0 inet
> from 192.168.0.0/16 to any @16 block out log quick on tun0
> inet from any to 255.255.255.255 @17 block out log quick on
> tun0 inet from any to 224.0.0.0/3 @18 block out log quick on
> tun0 inet from any to 204.152.64.0/23 @19 block out log quick
> on tun0 inet from any to 192.0.2.0/24 @20 block out log quick
> on tun0 inet from any to 169.254.0.0/16 @21 block out log
> quick on tun0 inet from any to 0.0.0.0/8 @22 block out log
> quick on tun0 inet from any to 10.0.0.0/8 @23 block out log
> quick on tun0 inet from any to 172.16.0.0/12 @24 block out
> log quick on tun0 inet from any to 127.0.0.0/8 @25 block out
> log quick on tun0 inet from any to 192.168.0.0/16 @26 pass in
> quick on tun0 inet proto icmp all icmp-type unreach @27 pass
> in quick on tun0 inet proto icmp all icmp-type timex @28 pass
> in quick on tun0 inet proto icmp all icmp-type echoreq @29
> pass in quick on tun0 inet proto icmp all icmp-type echorep
> @30 block in log quick on tun0 inet proto icmp all @31 pass
> in quick on tun0 inet proto tcp from any to any port = www
> flags S/SA keep state
> @32 pass in quick on tun0 inet proto tcp from any to any port = ssh
> flags S/SA keep state
> @33 pass out quick on tun0 inet proto tcp all flags S/SA keep
> state @34 pass out quick on tun0 inet proto udp all keep
> state @35 pass out quick on tun0 inet proto icmp all keep
> state @36 block return-rst in log quick on tun0 inet proto
> tcp all @37 block return-icmp in log quick on tun0 inet proto
> udp all @38 block in log quick on tun0 all nat on tun0 inet
> from 192.168.1.0/24 to any -> 216.75.167.186 rdr on tun0 inet
> proto tcp from any to any port 6346 -> 192.168.1.10
> Status: Enabled for 0 days 00:05:16 Debug: None
>
> State Table Total Rate
> current entries 0
> searches 159 0.5/s
> inserts 1 0.0/s
> removals 13 0.0/s
> Counters
> match 158 0.5/s
> bad-offset 0 0.0/s
> fragment 0 0.0/s
> short 0 0.0/s
> normalize 0 0.0/s
> memory 0 0.0/s
> tcp.first 120s
> tcp.opening 30s
> tcp.established 86400s
> tcp.closing 900s
> tcp.finwait 45s
> tcp.closed 90s
> udp.first 60s
> udp.single 30s
> udp.multiple 60s
> icmp.first 20s
> icmp.error 10s
> other.first 60s
> other.single 30s
> other.multiple 60s
> frag 30s
> interval 10s
> states unlimited
> frags hard limit 5000
> #
>
> /etc/exports from OpenBSD server:
> # $OpenBSD: exports,v 1.2 2002/05/31 08:15:44 pjanzen Exp $
> #
> # NFS exports Database
> # See exports(5) for more information. Be very careful:
> misconfiguration
> # of this file can result in your filesystems being readable by the
> world.
> /var/www/htdocs -mapall=www:www -network=192.168.1 -mask=255.255.255.0
>
> fstab entry from Linux client (Also tried wo/ rsize and wsize
> options):
> pebcak:/var/www/htdocs /www nfs
> defaults,noauto,user,noatime,rsize=32768,wsize=32768 0 0
> --
> Shawn D'Alimonte shawnd@mycybernet.net