Re: NFS through firewall

From: Amadeus W. M. (amadeus84_at_cablespeed.com)
Date: 11/18/05

  • Next message: Arvind L: "Upgradation problem:ethereal" 
    To: fedora-list@redhat.com
Date: Fri, 18 Nov 2005 11:33:54 -0500

    On Thu, 17 Nov 2005 09:26:14 -0500, James Pifer wrote:

    > Hi. I have a server in our DMZ and I'm exporting a specific directory
    > with NFS. I have an internal server that I want to mount it on. The
    > internal server is allowed through the firewall without restriction.
    > Firewall guy tells me it's wide open for this internal server, TCP and
    > UDP.
    >
    > When I try to mount the drive I get this error:
    > pmap_getmaps rpc problem: RPC: Unable to receive; errno = Connection
    > reset by peer
    >
    > On the server running NFS I get this:
    > rpc.mountd: authenticated mount request from [internal_server]:680
    > for /usr/test (/usr/test)
    >
    > If I do an nmap from the internal server to the external server running
    > I get:
    >
    > (The 1648 ports scanned but not shown below are in state: closed)
    > PORT STATE SERVICE
    > 22/tcp open ssh
    > 80/tcp open http
    > 111/tcp open rpcbind
    > 443/tcp open https
    > 933/tcp open unknown
    > 5001/tcp open commplex-link
    > 5801/tcp open vnc-http-1
    > 5901/tcp open vnc-1
    > 10000/tcp open snet-sensor-mgmt
    >
    > A UDP port scan seems to hang.
    >
    > If I do an rpcinfo on the external server running NFS I get:
    > # rpcinfo -p 127.0.0.1
    > program vers proto port
    > 100000 2 tcp 111 portmapper
    > 100000 2 udp 111 portmapper
    > 100024 1 udp 32768 status
    > 100024 1 tcp 32768 status
    > 391002 2 tcp 32769 sgi_fam
    > 100011 1 udp 930 rquotad
    > 100011 2 udp 930 rquotad
    > 100011 1 tcp 933 rquotad
    > 100011 2 tcp 933 rquotad
    > 100003 2 udp 2049 nfs
    > 100003 3 udp 2049 nfs
    > 100021 1 udp 32781 nlockmgr
    > 100021 3 udp 32781 nlockmgr
    > 100021 4 udp 32781 nlockmgr
    > 100005 1 udp 32782 mountd
    > 100005 1 tcp 59483 mountd
    > 100005 2 udp 32782 mountd
    > 100005 2 tcp 59483 mountd
    > 100005 3 udp 32782 mountd
    > 100005 3 tcp 59483 mountd
    >
    > Any thoughts on what the problem is?
    >
    > Thanks,
    > James

    Besides the firewall, other things to check for are tcp wrappers
    (/etc/hosts.allow/deny - I once pulled hair over this one), and permisions
    of the partitions exported by the NFS server.

    On the client do a

    /usr/sbin/showmount -e nfs.server.com

    Whenever you modify something on the nfs server, run

    exportfs -r

    or restart the nfs server (better, because it restarts the rpc services
    too).

    Also, you're not root on the client when you're trying to access the
    exports, are you? By default, the nfs server does not treat a remote root
    user as its own root user, for the obvious reasons. So if you're root on
    the client and try to access an exported partition that belongs to, say,
    joe/users, you'll get an error.

    Also, the nfs server need not give unrestricted access to a client to
    access nfs. The problem with nfs and firewall is that the rpc services run
    on random ports, so the firewall would have to open the same (random)
    ports to allow access to nfs. Fortunately, nfsd can be configured so that
    the rpc services run on fixed ports, like so:

    On the nfs server:

    cat /etc/sysconfig/nfs
    STATD_PORT=4000
    LOCKD_TCPPORT=4001
    LOCKD_UDPPORT=4001
    MOUNTD_PORT=4002
    RQUOTAD_PORT=4003

    Still on the nfs server, in /etc/sysconfig/iptables put these rules:

    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
    -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4000:4003 -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT

    These will allow anything to access the nfs/rpc ports. To allow a
    only single machine, add its address to these rules. 

    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Arvind L: "Upgradation problem:ethereal"

    Relevant Pages

    • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
      ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
      (Incidents)
    • Re: Add 2nd NIC after intial install?
      ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
      (microsoft.public.windows.server.sbs)
    • Re: Source Code to Filter out WindowsMessenger POP-UPS
      ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
      (microsoft.public.inetserver.iis.security)
    • Re: Using Office Outlook with exchange server behind windows firewall
      ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
      (microsoft.public.windows.server.sbs)
    • Re: NETFW.INF, Preconfigured Firewall settings and dialogs
      ... it is Windows Server 2003 SP1 firewall that i'm using. ... Using the document '832017 Port Requirements for the Microsoft Windows ... > to achieve the following goal: some ports are open by default and others ...
      (microsoft.public.windows.server.networking)