Re: [SLE] NFS with SuSEfirewall2
From: Radule Soskic (rms_at_telekom.yu)
Date: 09/08/04
- Previous message: Bojan Hribernik: "[SLE] resize reiserfs partition with data on it to make room for winxp"
- In reply to: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Next in thread: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Reply: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Reply: Danny Sauer: "Re: [SLE] NFS with SuSEfirewall2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: suse-linux-e@suse.com Date: Wed, 08 Sep 2004 15:22:14 +0200
On Wed, 2004-09-08 at 07:36 -0500, John N. Alegre wrote:
> >I have a nfs client/server pair (suse 9.1) which works fine, but only if
> >I shut down suSEfirewall2 on both computers.
> >
> Just yesterday I posted my solution to this problem. There was a three day
> thread on this topic. My solution was to add
>
> FW_TRUSTED_NETS="XXX.XXX.XXX.XXX"
>
> to the Firewall config file and restart the Firewall. Naturally the XXX are
> replaced with the static IPs of the machines I which to trust. This in the
> config file is very well commented and easy to understand. Be sure to
> restart the Firewall or reboot after commenting the config file.
>
> As Dylan did point out if your entry in the /etc/exports is *(aa, bb ...) this
> will open up your exported directories to a minor security hole so I changed
> the etc/exports to XXX.XXX.XXX.XXX(aa, bb ...). Again this is well commented
> in the /etc/exports file.
>
> Check the post in the archives in the last 3 or 4 days. The title is
> something like Ports for NFS.
>
> john
Thank you, John. I've seen your post already. This works in my case,
too. But, as far as I understand, your solution opens FW for *all*
traffic coming from the adress(es) that are specified in FW_TRUSTED_NETS
statement. While I don't see any reason against aplying this to my
particular client/server arrangement, I would not accept it as a general
solution. It is more like a workaround conditioned by fact that we don't
know how to limit the number of open ports to the ports that are
actually used in nfs mount process. Strange that noone posted the actual
and complete portlist yet. I am not good enough with the principles of
rpc, and have no time to study it now, but beleive that there must be
more ports involved (and probably dynamicaly alocated), than just the
111 and 2049, and the fact that they're being closed on FW causes the
trouble.
What I did up to now is the following:
1. put 111 and 1049 in both FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP
on my server and client
2. put "mountd nfs" string in FW_SERVICES_EXT_RPC on the server
Now, if I swich on my server side FW *and* switch off FW on client,
everything works OK. This, I assume, means that my server side is
configured OK now. But, if I switch on the client side FW too, then I
get "rpc time out" error again. My diagnostics genius takes this as a
proof that client side FW needs further tweaking.
I was not able to do No.2 of the above to the client, since there is an
earlier version of SuSE FW, which seems not to understand this
particular statement. This evening I will check everything with an
up-to-date SuSE 9.1 client. I hope the results will be better than.
Regards,
cikasole
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Bojan Hribernik: "[SLE] resize reiserfs partition with data on it to make room for winxp"
- In reply to: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Next in thread: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Reply: John N. Alegre: "Re: [SLE] NFS with SuSEfirewall2"
- Reply: Danny Sauer: "Re: [SLE] NFS with SuSEfirewall2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
