The FreeBSD Diary

That wasn't really a problem.  The boxes came back up but not everything was fine. Specifically, my NFS volumes didn't mount properly.  Which meant some of my web sites weren't up and running.  The problem was a combination of ipf rules which prevent access and my ipf configuration being deny-by-default.  The offshoot was that when the system tried to start up as an nfs server, not everything was happy.  I spent the better part of four hours trying to figure out what was going on.  I got some help from Odinn in this.   He went through everything with me and it was finally sussed out.

We discovered that rpc.statd was not running.  This program is necessary for NFS.  See the man page for more detail.  So we tried to start it:

[root@ducky:~] # /usr/sbin/rpc.statd
Cannot register service: RPC: Unable to send; 
                                           errno = No route to host
rpc.statd: unable to register (SM_PROG, SM_VERS, udp)

We first suspected my routing was screwed up.  But it wasn't.  It was my rules.  They weren't running.  That meant I was deny by default.  Hence, "No route to host".  Once I invoked the rules, rpc.statd was up and running.  This was our first hint that there was a conflict somewhere..

There is a kernel feature, IPFILTER_DEFAULT_BLOCK, which makes ipf deny everything by default.  From a security point of view, this is a better default than to accept everything.  Unfortunately, it can cause a few problems with the FreeBSD startup.  I encountered this problem with NFS.  Luckily, there is a workaround.  I have a nify little script.

nfs_server_enable="YES"       # This host is an NFS server (or NO)
nfs_server_flags="-u -t -n 4" # Flags to nfsd (if enabled).
nfs_client_enable="YES" # This host is an NFS client (or NO). 
nfs_client_flags="-n 4" # Flags to nfsiod (if enabled).

These options are used by the script /etc/rc.network.  If the above options exist in , In that file, you'll find a section which starts like this:

network_pass3() {
        echo -n 'Starting final network daemons:'

        case ${nfs_server_enable} in
        [Yy][Ee][Ss])
                if [ -r /etc/exports ]; then
                        echo -n ' mountd'

                        case ${weak_mountd_authentication} in
                        [Yy][Ee][Ss])
                                mountd_flags="-n"
                                ;;
                        esac

This is the section which I took for my own.  Basically, I cobbled togther the bits and pieces I needed.  My script is:

#!/bin/sh
#
# start the nfs server
#
echo -n ' mountd'    ; mountd -r
echo -n ' nfsd'      ; nfsd -u -t -n 4
echo -n ' sysctl'    ; sysctl -w vfs.nfs.bufpackets=DEFAULT \
                                                > /dev/null
echo -n ' rpc.statd' ; rpc.statd

#
# then mount our NFS client volumes
#
mount -v fred:/nzmirror/ports/distfiles /usr/ports/distfiles

The steps I go through in the above script more or less duplicate what the /etc/rc.network when it sees the NFS options I described at the start of this section.

This script is placed in /usr/local/etc/rc.d/nfs.sh.  Make sure it is chmod 750.