[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NFS rules no-df syntax



Hey all,
    I have a question about some nfs rules I am formulating ( this is all in a 
testbed ).  I currently have one machine behind the firewall, and several 
machines on 3 other subnets external to the firewall.  All are connected via 
NFS.   They are all communicating fine.  My question is related to 
syntax/BNF.
My rules pertaining to NFS are as follows.
NFSPORTS = { 111, >1022 }
#--------------------------------------------------------------------------------------------------------
scrub in on $ext from { <nfs1> <nfs2> <nfs3> } to <testnfs> no-df
scrub out on $ext from <testnfs> to { <nfs1> <nfs2> <nfs3> } no-df
#--------------------------------------------------------------------------------------------------------
table <nfs1> const file "/etc/tables/nfs1"
table <nfs2> const file "/etc/tables/nfs2"
table <nfs3> const file "/etc/tables/nfs3"
table <testnfs> const { xxx.xxx.xxx.xxx }
pass in log on $ext proto { tcp , udp } from { <nfs1> <nfs2> <nfs3> } to 
<testnfs> port $NFSPORTS keep state
pass out log on $ext proto { tcp , udp } from <testnfs> to { <nfs1> <nfs2> 
<nfs3> } port $NFSPORTS keep state
Questions:
1) Can I combine the scrub no-df rule in to the pass rules ? If so, How ?  
2) Does PF read faster from an external file or a table list ( a la table 
<testnfs> ) within pf.conf ?
I know I can optimize it by combining all of the <nfsX> tables down to one, 
they are only there now for the testing phase, and organization.  Other than 
that does anyone have any ideas on how to optimize this set of rules ?
Thanks for any help offered.