[resolu] nfs à travers un firewall (pf -openbsd)

Marsh Posté le 09-06-2004 à 12:56:22

Bonjour,

J'ai un chtit probleme avec nfs et un firewall.
l'archi est la suivante

serveur NFS -------------------openbsd -----------------client 1
\------------------------client 2

Les clients arrivent bien à monter le nfs, a y accéder pendant 10secondes.
Au bout de ces 10secondes, la machine cliente indique qu'elles n'arrivent pas à acceder au serveur nfs ... je ne comprends pas du tout [:mlc]

Sur le serveur NFS j'ai forcé l'utilisation de port particulier pour rpc.nfsd, rpc.statsd et rpc.mountd.
Sur le firewall en "pass all" ca marche impec (merci conti) mais on dirait que nfs utilise d'autre port ... enfin zarb

Code :

serveur:/home/gug# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
100005 1 udp 923 mountd
100005 2 udp 923 mountd
100005 1 tcp 923 mountd
100005 2 tcp 923 mountd
100024 1 udp 1024 status
100024 1 tcp 1024 status
serveur:/home/gug#

le firewall pf :

Code :

#interfaces
loop= "lo0"
net_if= "de0"
lan_if= "vr0"
dmz_if= "vr1"
#network
lan= "192.168.1.0/24"
dmz= "192.168.0.0/24"
#machine
proxy= "192.168.0.6"
ldap= "192.168.0.5"
#comportement par defaut
set block-policy drop
#normalisation des paquets
#scrub in all
#definition des ports
tcp_dmz_net = "{ 80, 443 }"
#udp_dmz_net = "{ 53 }"
tcp_lan_dmz_proxy = "{ 3128, 22, 5432, 923, 2049, 111, 1024 }"
tcp_lan_dmz_ldap = "{ 389, 22 }"
udp_lan_dmz = "{ 53, 111, 2049, 923, 1024 }"
#adresse non routable
#NO_route= "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
NO_route= "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
#-------------NAT aka TRANSLATION --------------------#
#du proxy vers internet
nat on $net_if from $proxy to any -> $net_if
#des clients vers les serveurs/dmz
#nat on $dmz_if from $lan to $dmz -> $dmz_if
#-------------REGLE DE FILTRAGE-----------------#
#pass all
block all
#Antispoof
antispoof for $loop inet
antispoof for $net_if inet
#Accepte pour le loop
pass in quick on $loop all
pass out quick on $loop all
#Bloque les scans nmap et les tentatives de prise d'empreinte de la pile tcp/ip
block in log quick on $net_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $net_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $net_if inet proto tcp from any to any flags/SFRA
#On bloque les adresses non routables
block in log quick on $net_if from $NO_route to any
block out log quick on $net_if from any to $NO_route
#--------------LOCAL --------------------------#
#Accepte les connections ssh sur lan_if et dmz_if
pass in log quick on $lan_if inet proto tcp from $lan to $lan_if port 22 modulate state
pass in log quick on $dmz_if inet proto tcp from $dmz to $dmz_if port 22 modulate state
#----------- PROXY vers exterieur ----------------#
#TCP tcp_dmz_net
pass in quick on $dmz_if inet proto tcp from $proxy to any port $tcp_dmz_net modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port $tcp_dmz_net modulate state
#UDP udp_dmz_net DNS
pass in quick on $dmz_if inet proto udp from $proxy to any port 53 keep state
pass out quick on $net_if inet proto udp from $net_if to any port 53 keep state
#FTP
pass in quick on $dmz_if inet proto tcp from $proxy to any port 21 modulate state
pass in quick on $dmz_if inet proto tcp from $proxy to any port >1024 modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port 21 modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port >1024 modulate state
#ICMP
pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 8 code 0 keep state
pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 8 code 0 keep state
pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 11 keep state
pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 11 keep state
#------------ LAN VERS DMZ ---------------------#
#TCP tcp_lan_dmz_proxy
pass in quick on $lan_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
pass out quick on $dmz_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
#TCP LDAP
pass in quick on $lan_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
pass out quick on $dmz_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
#ICMP
pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
#UDP DNS
pass in quick on $lan_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
pass out quick on $dmz_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
# ------------ DMZ vers LAN ------------------#
#ICMP
pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 8 code 0 keep state
pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 8 code 0 keep state
pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 11 keep state
pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 11 keep state
#SSH
pass in quick on $dmz_if inet proto tcp from $dmz to $lan port 22 modulate state
pass out quick on $lan_if inet proto tcp from $lan_if to $lan port 22 modulate state
#----------------- DHCRELAY ------------------#
pass in quick on $lan_if inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 keep state
#pass out quick on $lan_if inet proto udp from $lan_if port 67 to any port 68
#pass in quick on $dmz_if inet proto udp from 192.168.0.6 to $dmz_if port 67
pass out quick on $dmz_if inet proto udp from $dmz_if port 67 to 192.168.0.6 port 67 keep state
#des serveurs ver le lan
#nat on $lan_if from $dmz to $lan -> $lan_if
#-------------REGLE DE FILTRAGE-----------------#
#pass all
block all
#Antispoof
antispoof for $loop inet
antispoof for $net_if inet
#Accepte pour le loop
pass in quick on $loop all
pass out quick on $loop all
#Bloque les scans nmap et les tentatives de prise d'empreinte de la pile tcp/ip
block in log quick on $net_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $net_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $net_if inet proto tcp from any to any flags/SFRA
#On bloque les adresses non routables
block in log quick on $net_if from $NO_route to any
block out log quick on $net_if from any to $NO_route
#--------------LOCAL --------------------------#
#Accepte les connections ssh sur lan_if et dmz_if
pass in log quick on $lan_if inet proto tcp from $lan to $lan_if port 22 modulate state
pass in log quick on $dmz_if inet proto tcp from $dmz to $dmz_if port 22 modulate state
#----------- PROXY vers exterieur ----------------#
#TCP tcp_dmz_net
pass in quick on $dmz_if inet proto tcp from $proxy to any port $tcp_dmz_net modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port $tcp_dmz_net modulate state
#UDP udp_dmz_net DNS
pass in quick on $dmz_if inet proto udp from $proxy to any port 53 keep state
pass out quick on $net_if inet proto udp from $net_if to any port 53 keep state
#FTP
pass in quick on $dmz_if inet proto tcp from $proxy to any port 21 modulate state
pass in quick on $dmz_if inet proto tcp from $proxy to any port >1024 modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port 21 modulate state
pass out quick on $net_if inet proto tcp from $net_if to any port >1024 modulate state
#ICMP
pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 8 code 0 keep state
pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 8 code 0 keep state
pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 11 keep state
pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 11 keep state
#------------ LAN VERS DMZ ---------------------#
#TCP tcp_lan_dmz_proxy
pass in quick on $lan_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
pass out quick on $dmz_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
#TCP LDAP
pass in quick on $lan_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
pass out quick on $dmz_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
#ICMP
pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
#UDP DNS
pass in quick on $lan_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
pass out quick on $dmz_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
# ------------ DMZ vers LAN ------------------#
#ICMP
pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 8 code 0 keep state
pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 8 code 0 keep state
pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 11 keep state
pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 11 keep state
#SSH
pass in quick on $dmz_if inet proto tcp from $dmz to $lan port 22 modulate state
pass out quick on $lan_if inet proto tcp from $dmz to $lan port 22 modulate state
#----------------- DHCRELAY ------------------#
pass in quick on $lan_if inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 keep state
#pass out quick on $lan_if inet proto udp from $lan_if port 67 to any port 68
#pass in quick on $dmz_if inet proto udp from 192.168.0.6 to $dmz_if port 67
pass out quick on $dmz_if inet proto udp from $dmz_if port 67 to 192.168.0.6 port 67 keep state

merci d'avance

(comment chuis en galere)

Message édité par GUG le 14-06-2004 à 14:21:27

Reply

Marsh Posté le 09-06-2004 à 12:56:22

Reply

Marsh Posté le 09-06-2004 à 14:37:58

Au demarrage du client firewall activé, ca monte bien ...

J'ai ca :
Jun 9 14:47:47 WKS02 kernel: nfs: server 192.168.0.6 not responding, still trying
Jun 9 14:48:04 WKS02 kernel: nfs: server 192.168.0.6 not responding, still trying

Lorsque je passe le firewall en pass all :
Jun 9 14:49:17 WKS02 kernel: nfs: server 192.168.0.6 OK

:'(
il ne me reste que ca

Message édité par GUG le 09-06-2004 à 14:39:55

Reply

Marsh Posté le 09-06-2004 à 18:39:28

Si en cette chaude soirée, une personne passe par la

Reply

Marsh Posté le 09-06-2004 à 18:42:18

t'as essaye un sniff histoire de voir quel port il essaye de contacter ???

Reply

Marsh Posté le 09-06-2004 à 18:48:19

oui mais j'ai rien vu de spécial ...

Message édité par GUG le 09-06-2004 à 18:48:25

Reply

Marsh Posté le 09-06-2004 à 18:49:14

tu l'as placé à quel niveau ?

Reply

Marsh Posté le 09-06-2004 à 18:52:04

au niveau du client
j'airais du le placer au niveau du firewall plustot :'(

Reply

Marsh Posté le 09-06-2004 à 18:56:27

ben un peu ouais

Reply

Marsh Posté le 09-06-2004 à 18:56:57

:lol:
je vais changer de metier moa :'(

Reply

Marsh Posté le 09-06-2004 à 18:57:45

BTS IG option ARL ?

Reply

Marsh Posté le 09-06-2004 à 18:57:45

Reply

Marsh Posté le 09-06-2004 à 18:58:34

oui et j'apprends rien en cours :'(

Reply

Marsh Posté le 09-06-2004 à 21:02:41

:heink:
C'est quoi ces "block all" et "pass all" dans ton fichier? Je vois pas l'intéret, même pour des tests, étant donné que ce n'est pas stateful.
Tes règles ont l'air ok. Apparement, mountd est bien bindé.
Pour savoir ce qui déconne, utilisation de tcpdump, simultannément (plusieurs consoles) à une visualisation via tcpdump des logs du firewall lorsque tu montes via NFS.
tcpdump -n -e -ttt -i pflog0

Reply

Marsh Posté le 09-06-2004 à 21:55:43

axey vient de me doner la reponse, je n'avais pas vu honte à moi :'(

no-df
Supprime le bit don't fragment de l'en-tête du paquet IP. Quelques systèmes d'exploitation sont connus pour générer des paquets fragmentés avec le bit don't fragment positionné. Ceci est particulièrement vrai dans le cas de NFS. scrub va bloquer tous les paquets qui sont dans ce cas sauf si l'option no-df est spécifiée. Vu que certains systèmes d'exploitation génèrent des paquets don't fragment avec un champ d'identification à zéeo au niveau de l'en-tête IP, il est recommandé d'utiliser no-df conjointement avec l'option random-id.

Reply

Marsh Posté le 09-06-2004 à 22:18:24

black_lord a écrit :

BTS IG option ARL ?

c'est clair je suis passé par là

sinon bravo axey

gourou openBSD [:prosterne]

Reply

Marsh Posté le 09-06-2004 à 22:20:02

he oui (pour le bts) et clair que axey maitrise bien le bordel

j'essairais ca lundi ...

(ps t as cliqué sur le bouton de citation un rang trop haut )

Message édité par GUG le 09-06-2004 à 22:20:51

Reply

Marsh Posté le 09-06-2004 à 22:23:20

GUG a écrit :

he oui (pour le bts) et clair que axey maitrise bien le bordel

j'essairais ca lundi ...

(ps t as cliqué sur le bouton de citation un rang trop haut )

oops [:cupra]

c'est quand tes épreuves pratiques ?