[gentoo-user] svc: bad direction 268435456

[gentoo-user] svc: bad direction 268435456

[Matthias Langer]

i've recently set up a local nfs server for my disfiles; to keep the WAN
out i have:

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport nfs -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport nfs -j DROP

everthing is working fine so far; however, my logs are full with these
messages:

svc: bad direction 268435456, dropping request

any comments ?

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] svc: bad direction 268435456

[Ralph Slooten]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Langer wrote:
> i've recently set up a local nfs server for my disfiles; to keep the WAN
> out i have:
> 
> iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport nfs -j DROP
> iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport nfs -j DROP
> 
> everthing is working fine so far; however, my logs are full with these
> messages:
> 
> svc: bad direction 268435456, dropping request
> 
> any comments ?

I have had this too from quite a while back
(http://blog.axljab.homelinux.org/post/6/). I turned on logging in my
firewall to find out that nfs listens on random ports for UDP
connections. The problem is that the random ports change ;-) In my
firewall *most* of > 1024 is open so there isn't much I can do about it.

- From what I noticed it's nobody trying to hack you but rather just
internet "static" which by coincidence tries a port that your NFS is
listening on. I stopped worrying about it after a while. The option for
NFS to listen only on one interface wasn't then (iirc) an option ..  not
sure about now though.

Greetings,
Ralph
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEljT+Ct0ZF9kLPvYRAupeAJ9kSYUdHh6DaV/npK+llF7an4jcMQCfXUgN
Gr0GEONQuBgPDhYgYdqedW8=
=JSh1
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] svc: bad direction 268435456 [SOLVED]

[Matthias Langer]

On Mon, 2006-06-19 at 07:24 +0200, Ralph Slooten wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Matthias Langer wrote:
> > i've recently set up a local nfs server for my disfiles; to keep the WAN
> > out i have:
> > 
> > iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport nfs -j DROP
> > iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport nfs -j DROP
> > 
> > everthing is working fine so far; however, my logs are full with these
> > messages:
> > 
> > svc: bad direction 268435456, dropping request
> > 
> > any comments ?
> 
> I have had this too from quite a while back
> (http://blog.axljab.homelinux.org/post/6/). I turned on logging in my
> firewall to find out that nfs listens on random ports for UDP
> connections. The problem is that the random ports change ;-) In my
> firewall *most* of > 1024 is open so there isn't much I can do about it.
> 
> - From what I noticed it's nobody trying to hack you but rather just
> internet "static" which by coincidence tries a port that your NFS is
> listening on. I stopped worrying about it after a while. The option for
> NFS to listen only on one interface wasn't then (iirc) an option ..  not
> sure about now though.
> 
> Greetings,
> Ralph

Thank you very much .. After adding the following lines to my firewall,
these annyoing messages seem to be gone (at least they did not appear
for one hour now):

iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 1026 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 1026 -j DROP
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 2442 -j DROP
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 2292 -j DROP

i'm not sure which of these lines acually fixed my problem as i've just
looked at the output of rpcinfo and grabbed all nfs relevant ports from
there.

Matthias

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] svc: bad direction 268435456 [SOLVED]

[Ralph Slooten]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matthias Langer wrote:
> i'm not sure which of these lines acually fixed my problem as i've just
> looked at the output of rpcinfo and grabbed all nfs relevant ports from
> there.

This will probably fix your problems *until* you restart nfs.

# lsof -n -P|egrep "UDP|LISTEN"|grep "rpc\."
rpc.statd 19260   nobody    4u     IPv4  178640062  UDP *:47496
rpc.statd 19260   nobody    5u     IPv4  178640054  UDP *:780
rpc.statd 19260   nobody    6u     IPv4  178640065  TCP *:42346 (LISTEN)
rpc.mount 19277     root    6u     IPv4  178640109  UDP *:797
rpc.mount 19277     root    7u     IPv4  178640112  TCP *:800 (LISTEN)

Restart NSF ....

rpc.statd 19433   nobody    4u     IPv4  178641101  UDP *:47498
rpc.statd 19433   nobody    5u     IPv4  178641093  UDP *:953
rpc.statd 19433   nobody    6u     IPv4  178641104  TCP *:42347 (LISTEN)
rpc.mount 19450     root    6u     IPv4  178641148  UDP *:970
rpc.mount 19450     root    7u     IPv4  178641151  TCP *:973 (LISTEN)

Restart again ....

rpc.statd 19534   nobody    4u     IPv4  178641453  UDP *:47499
rpc.statd 19534   nobody    5u     IPv4  178641445  UDP *:630
rpc.statd 19534   nobody    6u     IPv4  178641456  TCP *:42348 (LISTEN)
rpc.mount 19551     root    6u     IPv4  178641500  UDP *:647
rpc.mount 19551     root    7u     IPv4  178641503  TCP *:650 (LISTEN)



I never worked out how to get NSF to only listen on a single interface.

Glad you at least now know what was causing the logs.

Greetings,
Ralph

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFElp5TCt0ZF9kLPvYRAuLxAJ4/UYqhRdRObf5ZEM7bX5qNZd/ukACfd+rG
rEykTTIi6aWPzHRPiG7IjMs=
=BKB9
-----END PGP SIGNATURE-----
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] svc: bad direction 268435456 [SOLVED]

[Matthias Langer]

On Mon, 2006-06-19 at 14:53 +0200, Ralph Slooten wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Matthias Langer wrote:
> > i'm not sure which of these lines acually fixed my problem as i've just
> > looked at the output of rpcinfo and grabbed all nfs relevant ports from
> > there.
> 
> This will probably fix your problems *until* you restart nfs.
> 
> # lsof -n -P|egrep "UDP|LISTEN"|grep "rpc\."
> rpc.statd 19260   nobody    4u     IPv4  178640062  UDP *:47496
> rpc.statd 19260   nobody    5u     IPv4  178640054  UDP *:780
> rpc.statd 19260   nobody    6u     IPv4  178640065  TCP *:42346 (LISTEN)
> rpc.mount 19277     root    6u     IPv4  178640109  UDP *:797
> rpc.mount 19277     root    7u     IPv4  178640112  TCP *:800 (LISTEN)
> 
> Restart NSF ....
> 
> rpc.statd 19433   nobody    4u     IPv4  178641101  UDP *:47498
> rpc.statd 19433   nobody    5u     IPv4  178641093  UDP *:953
> rpc.statd 19433   nobody    6u     IPv4  178641104  TCP *:42347 (LISTEN)
> rpc.mount 19450     root    6u     IPv4  178641148  UDP *:970
> rpc.mount 19450     root    7u     IPv4  178641151  TCP *:973 (LISTEN)
> 
> Restart again ....
> 
> rpc.statd 19534   nobody    4u     IPv4  178641453  UDP *:47499
> rpc.statd 19534   nobody    5u     IPv4  178641445  UDP *:630
> rpc.statd 19534   nobody    6u     IPv4  178641456  TCP *:42348 (LISTEN)
> rpc.mount 19551     root    6u     IPv4  178641500  UDP *:647
> rpc.mount 19551     root    7u     IPv4  178641503  TCP *:650 (LISTEN)
> 
> 
> 
> I never worked out how to get NSF to only listen on a single interface.
> 
> Glad you at least now know what was causing the logs.
> 
> Greetings,
> Ralph
> 
Well, i guess this can be done by modifiying the steps described in the
follwoing howto:
http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS#Setting_Up_Firewall_.28Server_Side.29
I've not tried that yet, as i don't plan to restart my server in the
next few days, but will sooner or later take this into account ...

Matthias

-- 
gentoo-user@gentoo.org mailing list