Re: NFS through firewall

From: David J. Vernon (redhat_at_ladadee.com)
Date: 11/18/05

  • Next message: Bohmer, Andre ten: "RE: NFS through firewall" 
    Date: Fri, 18 Nov 2005 10:46:36 -0500
To: For users of Fedora Core releases <fedora-list@redhat.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    James Pifer wrote:
    > On Fri, 2005-11-18 at 07:37 -0700, Craig White wrote:
    >
    >>On Fri, 2005-11-18 at 09:21 -0500, James Pifer wrote:
    >>
    >>>On Fri, 2005-11-18 at 09:36 +0000, Nigel Wade wrote:
    ...<snip>...
    >
    >
    >
    > TCP 111 is open. See TCP scan above.
    >
    > James
    >

    My remembrance of this is so filled with cobwebs that I may be giving
    bad info. That caveat in place, port 111 (portmap) is a doorman type
    service. It's job is to suggest another connection (src_port <-->
    dst_port) to the client. The src_port and dst_port are not easy to
    predict from a firewall perspective. That info is, however, in the
    packets of the portmap traffic so many firewalls have RPC support. I
    think (info circa 2003) that iptables had a patch-o-matic for RPC. I
    know Checkpoint supports Sun RPC. Check to see if the firewall is
    blocking the new connection proposed by the portmapper. You can find out
    what ports this connection was going to be on by doing a tcpdump on port
    111 and looking in the data of the packets. Again, sorry if I'm taking
    you down the rabbit hole here. It has been a while since I had to mess
    with this.

    Dave
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDffdcwJFm2iv+v4gRAgqWAKCMeFTND0fS1Kz/yfZRMW3KMSapZwCfVieG
    4fwwW8/OOgrlrgQJMNOVFeI=
    =mttK
    -----END PGP SIGNATURE----- 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Bohmer, Andre ten: "RE: NFS through firewall"

    Relevant Pages

    • Re: R2 DFS Replication failing
      ... Disabled the firewall and everything started magically working.. ... BTW: Found out the RPC patch is this one: ... System service name: DfsApplication protocol Protocol Ports ... NetBIOS Session Service TCP 139 ...
      (microsoft.public.windows.server.general)
    • Re: SBS 2003 and Outlook RPC over HTTP issues
      ... the article is incorrect in stating that port 80 is needed. ... "The only ports you'll need to open on your firewall are TCP ... that port 443 and port 80 must be open to use RPC over HTTP. ...
      (microsoft.public.windows.server.sbs)
    • Re: Code Red Doesnt care about TCP sessions?
      ... Code Red Doesn't care about TCP sessions? ... I also neglected to state that I've correlated this activity to firewall ... >> from the Web server before it sent it's ACK and then GET request. ...
      (Incidents)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... variety of different probes using both UDP and TCP layer-4 protocols. ... elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP ... a tool to probe firewall ACLs; ...
      (Full-Disclosure)
    • Re: [Full-disclosure] 0trace - traceroute on established connections
      ... For example, rather than only launching UDP probes in an attempt to elicit ICMP "TTL exceeded" from hosts in the path, LFT can send TCP SYN or FIN probes to target arbitrary services. ... a tool to probe firewall ACLs; ...
      (Bugtraq)