SuSE 10.0 NFS vs. Firewall

---

• From: jdavid.eisenberg@xxxxxxxxx
• Date: 3 Oct 2006 14:42:35 -0700

---

I am attempting to get NFS working; both client and server are running
SuSE 10.0. When I turn off the server's firewall, I can mount a share
on the client; when I turn the firewall on, I get RPC time out. Both
the server and client firewalls were set up via YaST. The server
firewall allows both NFS server and NFS client services. When I used
YaST to set up the shares on the NFS server, I checked the "open port
in firewall" box.

Here is the output from iptables, rpcinfo, and ps (to see that rpc and
nfsd are really running). What am I doing wrong?

iptables output:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target prot opt source destination

Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpts:50100:51000 flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpts:50100:51000
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:http-alt flags:FIN,SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:http-alt
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:http
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ssh
ACCEPT udp -- anywhere anywhere udp
dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp
dpt:fsp
ACCEPT udp -- anywhere anywhere udp
dpts:50100:51000
ACCEPT udp -- anywhere anywhere udp
dpt:http-alt
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpt:977 LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT udp -- anywhere anywhere udp
dpt:977
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 state NEW tcp dpt:978 LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT tcp -- anywhere anywhere tcp
dpt:978
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpt:sunrpc LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT udp -- anywhere anywhere udp
dpt:sunrpc
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 state NEW tcp dpt:sunrpc LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT tcp -- anywhere anywhere tcp
dpt:sunrpc
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpt:nfs LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT udp -- anywhere anywhere udp
dpt:nfs
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 state NEW tcp dpt:nfs LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT tcp -- anywhere anywhere tcp
dpt:nfs
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp dpt:td-postman LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT udp -- anywhere anywhere udp
dpt:td-postman
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 state NEW tcp dpt:iad1 LOG level warning tcp-options
ip-options prefix `SFW2-INext-ACC-RPC '
ACCEPT tcp -- anywhere anywhere tcp
dpt:iad1
reject_func tcp -- anywhere anywhere tcp
dpt:ident state NEW
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp spt:ftp-data dpts:1024:65535
flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options
prefix `SFW2-INext-ACC-HIGH '
ACCEPT tcp -- anywhere anywhere tcp
spt:ftp-data dpts:1024:65535
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp spt:ftp dpts:1024:65535 flags:FIN,SYN,RST,ACK/SYN LOG
level warning tcp-options ip-options prefix `SFW2-INext-ACC-HIGH '
ACCEPT tcp -- anywhere anywhere tcp
spt:ftp dpts:1024:65535
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 state NEW udp spt:ftp-data dpts:1024:65535 LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-HiUDP '
ACCEPT udp -- anywhere anywhere state NEW
udp spt:ftp-data dpts:1024:65535
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options
prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-proto-unreachable
===
rpcinfo output:

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100024 1 udp 1049 status
100021 1 udp 1049 nlockmgr
100021 3 udp 1049 nlockmgr
100021 4 udp 1049 nlockmgr
100024 1 tcp 1030 status
100021 1 tcp 1030 nlockmgr
100021 3 tcp 1030 nlockmgr
100021 4 tcp 1030 nlockmgr
100005 1 udp 977 mountd
100005 1 tcp 978 mountd
100005 2 udp 977 mountd
100005 2 tcp 978 mountd
100005 3 udp 977 mountd
100005 3 tcp 978 mountd
===
ps output:

root 6728 0.0 0.0 0 0 ? S< Oct02 0:00
[nfsd4]
root 6729 0.0 0.0 0 0 ? S Oct02 0:00 [nfsd]
root 6730 0.0 0.0 0 0 ? S Oct02 0:00 [nfsd]
root 6731 0.0 0.0 0 0 ? S Oct02 0:00 [nfsd]
root 6732 0.0 0.0 0 0 ? S Oct02 0:00 [nfsd]
root 6735 0.0 0.0 0 0 ? S< Oct02 0:00
[rpciod/0]
root 6736 0.0 0.0 0 0 ? S< Oct02 0:00
[rpciod/1]
root 6738 0.0 0.1 2036 764 ? Ss Oct02 0:00
/usr/sbin/rpc.mountd

.

---

• Prev by Date: Re: Yast
• Next by Date: Re: After Xgl+Compiz my window borders are gone!!!
• Previous by thread: Yast
• Next by thread: Slow USB HDD on SuSe 10.0
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Firewall problems with NFS ... It seems to only allow use as an NFS client, since that worked fine when I tested it. ... U was surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as fast as UDP, ... 100005 1 udp 841 mountd ... (Fedora) Trying to get NFS working with FreeBSD & OS X ... NFS client on a Mac OS X box. ... 100000 4 tcp 111 portmapper ... 100000 4 udp 111 portmapper ... 100021 0 udp 617 nlockmgr ... (comp.unix.bsd.freebsd.misc) Trouble making NFS work with Mac OS X ... NFS client on a Mac OS X box. ... 100000 4 tcp 111 portmapper ... 100000 4 udp 111 portmapper ... 100021 0 udp 617 nlockmgr ... (freebsd-net) nfs/ssh woes ... "Encrypted NFS with OpenSSH and Linux" ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ... mount: RPC: Remote system error - Connection refused ... (Debian-User) UPnP and IPTables ... target prot opt source destination ... ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps ... LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning ... tcp_outbound tcp -- anywhere anywhere ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Newsgroups  > alt.os.linux.suse  > 2006-10