ZLOnix
Junior Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору Добрый день. Проблема: правила ipfw которые надо добавить чтобы бесперебойно работал NFS (клиент). Методом "научного тыка" я пришёл к таким выводам: Цитата: eternity:/usr/local/etc/$ cat firewall.conf #!/bin/sh ipfw zero ipfw resetlog ipfw -q -f flush fwcmd="/sbin/ipfw -q add" ${fwcmd} allow ip from any to any via lo0 # Allow anything via loopback interface ${fwcmd} count ip from any to me via fxp0 # Count incomming traffic from Onet ${fwcmd} count ip from me to any via fxp0 # Count outgoing traffic to Onet ${fwcmd} count ip from any to me via tun0 # Count incomming internet traffic ${fwcmd} count ip from me to any via tun0 # Count outgoing internet traffic ${fwcmd} deny log ip from 192.168.0.0/16 to me # RFC 1918 private IP ${fwcmd} deny log ip from 10.0.0.0/8 to me via tun0 # RFC 1918 priavateIP (only via tun device) ${fwcmd} deny log ip from 172.16.0.0/12 to me via tun0 # RFC 1918 private IP (only via tun device) ${fwcmd} deny log ip from 127.0.0.0/8 to me # loopback ${fwcmd} deny log ip from 0.0.0.0/8 to me # loopback ${fwcmd} deny log ip from 169.254.0.0/16 to me # DHCP auto-config ${fwcmd} deny log ip from 192.0.2.0/24 to me # Reserved for docs ${fwcmd} deny log ip from 204.152.64.0/23 to me # Sun cluster interconnect ${fwcmd} deny log ip from 224.0.0.0/3 to me # Class D & E multicast ${fwcmd} check-state # Check dynamic rules ${fwcmd} unreach host log icmp from any to me icmptypes 8,13,15,17 # echo, timestamp, information, address mask requests ${fwcmd} allow icmp from any to any # Allow any other ICMPs ${fwcmd} allow udp from me to any dst-port 111 keep-state # ${fwcmd} allow udp from any to me src-port 111 keep-state # ${fwcmd} allow udp from me to any dst-port 1022 keep-state # NFS related things ${fwcmd} allow udp from any to me src-port 1022 keep-state # ${fwcmd} allow ip from 10.0.0.132 to me frag # ${fwcmd} allow ip from me to any dst-port 2049 keep-state # ${fwcmd} allow udp from me to 10.0.0.131 dst-port 123 keep-state # Network time protocol ${fwcmd} allow udp from me to 10.0.0.130 dst-port 53 keep-state # Outgoing dns queries ${fwcmd} allow 47 from 10.0.0.130 to me keep-state # Allow incomming 47th protocol (GRE?) ${fwcmd} allow 47 from me to 10.0.0.130 keep-state # Allow outgoing 47th protocol (GRE?) ${fwcmd} allow tcp from me to 10.0.0.130 dst-port 1723 keep-state # VPN ${fwcmd} allow tcp from me to any dst-port 22,80,113,443,2401,5999,6667 keep-state # SSH, Web, SSL'ed Web, CVS, NFS, CVSup, IRC ${fwcmd} allow tcp from me to 213.85.10.5 dst-port 25,110 via tun0 keep-state # SMTP & POP3 ${fwcmd} allow tcp from me to 10.0.0.131 dst-port 5222 keep-state # Jabber ${fwcmd} allow tcp from me to any dst-port 21 keep-state # Outgoing ftp queries ${fwcmd} allow tcp from any to me src-port 20 keep-state # Incoming ftp data | Как видно в одном из правил я разрешаю проход фрагментированных пакетов от NFS сервера ко мне, но что будет если я захочу примонтировать раздел с другого компьютера? Придётся снова модифицировать правила firewall'a, с другой стороны, можно было бы добавить "allow ip from any to any frag", но так мой компьютер сможет быть подвержен сканированию каким-нибудь nmap-подобным сканером с опцией фрагментации пакетов для прохода через роутер. Возможно существуют какие-нибудь другие способы разрешения монтирования NFS разделов? Спасибо. |