GUG | Bonjour,
J'ai un chtit probleme avec nfs et un firewall.
l'archi est la suivante serveur NFS -------------------openbsd -----------------client 1
\------------------------client 2
Les clients arrivent bien à monter le nfs, a y accéder pendant 10secondes. Au bout de ces 10secondes, la machine cliente indique qu'elles n'arrivent pas à acceder au serveur nfs ... je ne comprends pas du tout
Sur le serveur NFS j'ai forcé l'utilisation de port particulier pour rpc.nfsd, rpc.statsd et rpc.mountd.
Sur le firewall en "pass all" ca marche impec (merci conti) mais on dirait que nfs utilise d'autre port ... enfin zarb
Code :
- serveur:/home/gug# rpcinfo -p
- program vers proto port
- 100000 2 tcp 111 portmapper
- 100000 2 udp 111 portmapper
- 100003 2 udp 2049 nfs
- 100003 2 tcp 2049 nfs
- 100005 1 udp 923 mountd
- 100005 2 udp 923 mountd
- 100005 1 tcp 923 mountd
- 100005 2 tcp 923 mountd
- 100024 1 udp 1024 status
- 100024 1 tcp 1024 status
- serveur:/home/gug#
|
le firewall pf :
Code :
- #interfaces
- loop= "lo0"
- net_if= "de0"
- lan_if= "vr0"
- dmz_if= "vr1"
- #network
- lan= "192.168.1.0/24"
- dmz= "192.168.0.0/24"
- #machine
- proxy= "192.168.0.6"
- ldap= "192.168.0.5"
- #comportement par defaut
- set block-policy drop
- #normalisation des paquets
- #scrub in all
- #definition des ports
- tcp_dmz_net = "{ 80, 443 }"
- #udp_dmz_net = "{ 53 }"
- tcp_lan_dmz_proxy = "{ 3128, 22, 5432, 923, 2049, 111, 1024 }"
- tcp_lan_dmz_ldap = "{ 389, 22 }"
- udp_lan_dmz = "{ 53, 111, 2049, 923, 1024 }"
- #adresse non routable
- #NO_route= "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
- NO_route= "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
- #-------------NAT aka TRANSLATION --------------------#
- #du proxy vers internet
- nat on $net_if from $proxy to any -> $net_if
- #des clients vers les serveurs/dmz
- #nat on $dmz_if from $lan to $dmz -> $dmz_if
- #-------------REGLE DE FILTRAGE-----------------#
- #pass all
- block all
- #Antispoof
- antispoof for $loop inet
- antispoof for $net_if inet
- #Accepte pour le loop
- pass in quick on $loop all
- pass out quick on $loop all
- #Bloque les scans nmap et les tentatives de prise d'empreinte de la pile tcp/ip
- block in log quick on $net_if inet proto tcp from any to any flags FUP/FUP
- block in log quick on $net_if inet proto tcp from any to any flags SF/SFRA
- block in log quick on $net_if inet proto tcp from any to any flags/SFRA
- #On bloque les adresses non routables
- block in log quick on $net_if from $NO_route to any
- block out log quick on $net_if from any to $NO_route
- #--------------LOCAL --------------------------#
- #Accepte les connections ssh sur lan_if et dmz_if
- pass in log quick on $lan_if inet proto tcp from $lan to $lan_if port 22 modulate state
- pass in log quick on $dmz_if inet proto tcp from $dmz to $dmz_if port 22 modulate state
- #----------- PROXY vers exterieur ----------------#
- #TCP tcp_dmz_net
- pass in quick on $dmz_if inet proto tcp from $proxy to any port $tcp_dmz_net modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port $tcp_dmz_net modulate state
- #UDP udp_dmz_net DNS
- pass in quick on $dmz_if inet proto udp from $proxy to any port 53 keep state
- pass out quick on $net_if inet proto udp from $net_if to any port 53 keep state
- #FTP
- pass in quick on $dmz_if inet proto tcp from $proxy to any port 21 modulate state
- pass in quick on $dmz_if inet proto tcp from $proxy to any port >1024 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port 21 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port >1024 modulate state
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 8 code 0 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 11 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 11 keep state
- #------------ LAN VERS DMZ ---------------------#
- #TCP tcp_lan_dmz_proxy
- pass in quick on $lan_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
- pass out quick on $dmz_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
- #TCP LDAP
- pass in quick on $lan_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
- pass out quick on $dmz_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
- #ICMP
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
- pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
- pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
- #UDP DNS
- pass in quick on $lan_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
- pass out quick on $dmz_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
- # ------------ DMZ vers LAN ------------------#
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 8 code 0 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 11 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 11 keep state
- #SSH
- pass in quick on $dmz_if inet proto tcp from $dmz to $lan port 22 modulate state
- pass out quick on $lan_if inet proto tcp from $lan_if to $lan port 22 modulate state
- #----------------- DHCRELAY ------------------#
- pass in quick on $lan_if inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 keep state
- #pass out quick on $lan_if inet proto udp from $lan_if port 67 to any port 68
- #pass in quick on $dmz_if inet proto udp from 192.168.0.6 to $dmz_if port 67
- pass out quick on $dmz_if inet proto udp from $dmz_if port 67 to 192.168.0.6 port 67 keep state
- #des serveurs ver le lan
- #nat on $lan_if from $dmz to $lan -> $lan_if
- #-------------REGLE DE FILTRAGE-----------------#
- #pass all
- block all
- #Antispoof
- antispoof for $loop inet
- antispoof for $net_if inet
- #Accepte pour le loop
- pass in quick on $loop all
- pass out quick on $loop all
- #Bloque les scans nmap et les tentatives de prise d'empreinte de la pile tcp/ip
- block in log quick on $net_if inet proto tcp from any to any flags FUP/FUP
- block in log quick on $net_if inet proto tcp from any to any flags SF/SFRA
- block in log quick on $net_if inet proto tcp from any to any flags/SFRA
- #On bloque les adresses non routables
- block in log quick on $net_if from $NO_route to any
- block out log quick on $net_if from any to $NO_route
- #--------------LOCAL --------------------------#
- #Accepte les connections ssh sur lan_if et dmz_if
- pass in log quick on $lan_if inet proto tcp from $lan to $lan_if port 22 modulate state
- pass in log quick on $dmz_if inet proto tcp from $dmz to $dmz_if port 22 modulate state
- #----------- PROXY vers exterieur ----------------#
- #TCP tcp_dmz_net
- pass in quick on $dmz_if inet proto tcp from $proxy to any port $tcp_dmz_net modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port $tcp_dmz_net modulate state
- #UDP udp_dmz_net DNS
- pass in quick on $dmz_if inet proto udp from $proxy to any port 53 keep state
- pass out quick on $net_if inet proto udp from $net_if to any port 53 keep state
- #FTP
- pass in quick on $dmz_if inet proto tcp from $proxy to any port 21 modulate state
- pass in quick on $dmz_if inet proto tcp from $proxy to any port >1024 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port 21 modulate state
- pass out quick on $net_if inet proto tcp from $net_if to any port >1024 modulate state
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 8 code 0 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $proxy to any icmp-type 11 keep state
- pass out quick on $net_if inet proto icmp from $net_if to any icmp-type 11 keep state
- #------------ LAN VERS DMZ ---------------------#
- #TCP tcp_lan_dmz_proxy
- pass in quick on $lan_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
- pass out quick on $dmz_if inet proto tcp from $lan to $proxy port $tcp_lan_dmz_proxy modulate state
- #TCP LDAP
- pass in quick on $lan_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
- pass out quick on $dmz_if inet proto tcp from $lan to $ldap port $tcp_lan_dmz_ldap modulate state
- #ICMP
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
- pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 8 code 0 keep state
- pass in quick on $lan_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
- pass out quick on $dmz_if inet proto icmp from $lan to $dmz icmp-type 11 keep state
- #UDP DNS
- pass in quick on $lan_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
- pass out quick on $dmz_if inet proto udp from $lan to $proxy port $udp_lan_dmz keep state
- # ------------ DMZ vers LAN ------------------#
- #ICMP
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 8 code 0 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 8 code 0 keep state
- pass in quick on $dmz_if inet proto icmp from $dmz to $lan icmp-type 11 keep state
- pass out quick on $lan_if inet proto icmp from $lan_if to $lan icmp-type 11 keep state
- #SSH
- pass in quick on $dmz_if inet proto tcp from $dmz to $lan port 22 modulate state
- pass out quick on $lan_if inet proto tcp from $dmz to $lan port 22 modulate state
- #----------------- DHCRELAY ------------------#
- pass in quick on $lan_if inet proto udp from 0.0.0.0 port 68 to 255.255.255.255 port 67 keep state
- #pass out quick on $lan_if inet proto udp from $lan_if port 67 to any port 68
- #pass in quick on $dmz_if inet proto udp from 192.168.0.6 to $dmz_if port 67
- pass out quick on $dmz_if inet proto udp from $dmz_if port 67 to 192.168.0.6 port 67 keep state
|
merci d'avance
(comment chuis en galere) Message édité par GUG le 14-06-2004 à 14:21:27
|