* [gentoo-user] [OT] NFS through a firewall
@ 2008-04-11 13:49 Roger Mason
2008-04-11 14:38 ` Greg Bowser
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Roger Mason @ 2008-04-11 13:49 UTC (permalink / raw
To: gentoo-user
Hello,
I'm trying to configure the firewall on a client to allow that client
to mount an nfs directory. The client runs a netfilter firewall, the
server uses tcpwrapper.
rpcinfo -p on the server shows:
beryl rmason # rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32765 status
100024 1 tcp 32765 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100021 1 tcp 4001 nlockmgr
100021 3 tcp 4001 nlockmgr
100021 4 tcp 4001 nlockmgr
100005 1 udp 32767 mountd
100005 1 tcp 32767 mountd
100005 2 udp 32767 mountd
100005 2 tcp 32767 mountd
100005 3 udp 32767 mountd
100005 3 tcp 32767 mountd
When I try to mount the exported directory when the firewall is
running I get a timeout:
minnie ~ $ mount -v Help/
mount: trying 134.153.37.5 prog 100003 vers 3 prot tcp port 2049
mount: trying 134.153.37.5 prog 100005 vers 3 prot udp port 32767
mount: mount to NFS server 'beryl.esd.mun.ca' failed: timed out
(retrying).
If I drop the client firewall the mount succeeds.
Can someone help me figure out what must be put in my iptables script
to get this to work?
Thanks,
Roger
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 13:49 [gentoo-user] [OT] NFS through a firewall Roger Mason
@ 2008-04-11 14:38 ` Greg Bowser
2008-04-11 14:48 ` Etaoin Shrdlu
` (2 subsequent siblings)
3 siblings, 0 replies; 9+ messages in thread
From: Greg Bowser @ 2008-04-11 14:38 UTC (permalink / raw
To: gentoo-user
Please excuse my possible lack of coherency; I have yet to have any
coffee, and I just mediated a battle on IRC, so mehhh
I had a very similar experience a few weeks back. There's that problem
with the thing where the thing is like "hey, Imma use this random
port" and then the other thing is like "oh no you diint". So then
they fight about it. I have debian boxes (against my wishes) and
gentoo boxes in my mix.
The following article was of great use to me:
http://wiki.debian.org/SecuringNFS
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 13:49 [gentoo-user] [OT] NFS through a firewall Roger Mason
2008-04-11 14:38 ` Greg Bowser
@ 2008-04-11 14:48 ` Etaoin Shrdlu
2008-04-28 10:49 ` Enrico Weigelt
2008-04-11 22:26 ` Hamie
2008-04-12 1:08 ` Dan Farrell
3 siblings, 1 reply; 9+ messages in thread
From: Etaoin Shrdlu @ 2008-04-11 14:48 UTC (permalink / raw
To: gentoo-user
On Friday 11 April 2008, 15:49, Roger Mason wrote:
> Hello,
>
> I'm trying to configure the firewall on a client to allow that client
> to mount an nfs directory. The client runs a netfilter firewall, the
> server uses tcpwrapper.
http://marc.info/?l=gentoo-user&m=120546886304830&w=2
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 13:49 [gentoo-user] [OT] NFS through a firewall Roger Mason
2008-04-11 14:38 ` Greg Bowser
2008-04-11 14:48 ` Etaoin Shrdlu
@ 2008-04-11 22:26 ` Hamie
2008-04-14 12:54 ` Roger Mason
2008-04-12 1:08 ` Dan Farrell
3 siblings, 1 reply; 9+ messages in thread
From: Hamie @ 2008-04-11 22:26 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 569 bytes --]
On Friday 11 April 2008 13:49:11 Roger Mason wrote:
> Hello,
>
> I'm trying to configure the firewall on a client to allow that client
> to mount an nfs directory. The client runs a netfilter firewall, the
> server uses tcpwrapper.
[deleted]
>
> If I drop the client firewall the mount succeeds.
>
> Can someone help me figure out what must be put in my iptables script
> to get this to work?
>
Do you have the option to run nfsv4? It uses only port tcp-2049. That way you
don't need portmapper (port 111), lockmgr, status, or mountd.
Hamish.
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 13:49 [gentoo-user] [OT] NFS through a firewall Roger Mason
` (2 preceding siblings ...)
2008-04-11 22:26 ` Hamie
@ 2008-04-12 1:08 ` Dan Farrell
2008-04-14 12:52 ` Roger Mason
3 siblings, 1 reply; 9+ messages in thread
From: Dan Farrell @ 2008-04-12 1:08 UTC (permalink / raw
To: gentoo-user
On Fri, 11 Apr 2008 11:19:11 -0230
Roger Mason <rmason@esd.mun.ca> wrote:
> Hello,
>
> I'm trying to configure the firewall on a client to allow that client
> to mount an nfs directory. The client runs a netfilter firewall, the
> server uses tcpwrapper.
>
> rpcinfo -p on the server shows:
>
> beryl rmason # rpcinfo -p
> program vers proto port
> 100000 2 tcp 111 portmapper
> 100000 2 udp 111 portmapper
> 100024 1 udp 32765 status
> 100024 1 tcp 32765 status
> 100003 2 udp 2049 nfs
> 100003 3 udp 2049 nfs
> 100003 2 tcp 2049 nfs
> 100003 3 tcp 2049 nfs
> 100021 1 udp 4001 nlockmgr
> 100021 3 udp 4001 nlockmgr
> 100021 4 udp 4001 nlockmgr
> 100021 1 tcp 4001 nlockmgr
> 100021 3 tcp 4001 nlockmgr
> 100021 4 tcp 4001 nlockmgr
> 100005 1 udp 32767 mountd
> 100005 1 tcp 32767 mountd
> 100005 2 udp 32767 mountd
> 100005 2 tcp 32767 mountd
> 100005 3 udp 32767 mountd
> 100005 3 tcp 32767 mountd
>
> When I try to mount the exported directory when the firewall is
> running I get a timeout:
>
> minnie ~ $ mount -v Help/
> mount: trying 134.153.37.5 prog 100003 vers 3 prot tcp port 2049
> mount: trying 134.153.37.5 prog 100005 vers 3 prot udp port 32767
> mount: mount to NFS server 'beryl.esd.mun.ca' failed: timed out
> (retrying).
>
> If I drop the client firewall the mount succeeds.
>
> Can someone help me figure out what must be put in my iptables script
> to get this to work?
Accept all incoming and outgoing connections on the client that
originate from or go to the server. It would look something like this:
iptables -I INPUT -s 134.153.37.55 -j ACCEPT
iptables -I INPUT -s 134.153.37.55 -j ACCEPT
now make sure those will work with your config before just blindly
setting them up!
Best of luck! Hope it works.
-- Dan
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-12 1:08 ` Dan Farrell
@ 2008-04-14 12:52 ` Roger Mason
0 siblings, 0 replies; 9+ messages in thread
From: Roger Mason @ 2008-04-14 12:52 UTC (permalink / raw
To: gentoo-user
Hello,
Dan Farrell <dan@spore.ath.cx> writes:
> On Fri, 11 Apr 2008 11:19:11 -0230
> Roger Mason <rmason@esd.mun.ca> wrote:
>
>> Hello,
>>
>> I'm trying to configure the firewall on a client to allow that client
>> to mount an nfs directory. The client runs a netfilter firewall, the
>> server uses tcpwrapper.
>>
>> Can someone help me figure out what must be put in my iptables script
>> to get this to work?
[snip]
>
> Accept all incoming and outgoing connections on the client that
> originate from or go to the server. It would look something like this:
>
> iptables -I INPUT -s 134.153.37.55 -j ACCEPT
> iptables -I INPUT -s 134.153.37.55 -j ACCEPT
>
> now make sure those will work with your config before just blindly
> setting them up!
Thank you, this works:
> iptables -I INPUT -s 134.153.37.55 -j ACCEPT
> iptables -I OUTPUT -s 134.153.37.55 -j ACCEPT
Many thanks to all who replied.
Roger
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 22:26 ` Hamie
@ 2008-04-14 12:54 ` Roger Mason
0 siblings, 0 replies; 9+ messages in thread
From: Roger Mason @ 2008-04-14 12:54 UTC (permalink / raw
To: gentoo-user
Hamie <hamish@travellingkiwi.com> writes:
> On Friday 11 April 2008 13:49:11 Roger Mason wrote:
>> Hello,
>>
>> I'm trying to configure the firewall on a client to allow that client
>> to mount an nfs directory. The client runs a netfilter firewall, the
>> server uses tcpwrapper.
>
> Do you have the option to run nfsv4? It uses only port tcp-2049. That way you
> don't need portmapper (port 111), lockmgr, status, or mountd.
Not at the moment: the server is running a very old (obsolete)
profile, so it is hard to update. A complete rebuild is on my agenda,
but I won't get to it for a few weeks.
It looks like a good solution though.
Cheers,
Roger
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-11 14:48 ` Etaoin Shrdlu
@ 2008-04-28 10:49 ` Enrico Weigelt
2008-04-28 12:14 ` Roger Mason
0 siblings, 1 reply; 9+ messages in thread
From: Enrico Weigelt @ 2008-04-28 10:49 UTC (permalink / raw
To: gentoo-user
* Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> On Friday 11 April 2008, 15:49, Roger Mason wrote:
>
> > Hello,
> >
> > I'm trying to configure the firewall on a client to allow that client
> > to mount an nfs directory. The client runs a netfilter firewall, the
> > server uses tcpwrapper.
>
> http://marc.info/?l=gentoo-user&m=120546886304830&w=2
BTW: if you don't actually *need* NFS, but just some network
filesystem, you might want to try 9P.
cu
--
---------------------------------------------------------------------
Enrico Weigelt == metux IT service - http://www.metux.de/
---------------------------------------------------------------------
Please visit the OpenSource QM Taskforce:
http://wiki.metux.de/public/OpenSource_QM_Taskforce
Patches / Fixes for a lot dozens of packages in dozens of versions:
http://patches.metux.de/
---------------------------------------------------------------------
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [gentoo-user] [OT] NFS through a firewall
2008-04-28 10:49 ` Enrico Weigelt
@ 2008-04-28 12:14 ` Roger Mason
0 siblings, 0 replies; 9+ messages in thread
From: Roger Mason @ 2008-04-28 12:14 UTC (permalink / raw
To: gentoo-user
Enrico Weigelt <weigelt@metux.de> writes:
>
> BTW: if you don't actually *need* NFS, but just some network
> filesystem, you might want to try 9P.
I finally got this solved with some help from this list.
Your comment about the 9P filesystem is interesting as I'm somewhat
interested in an operating system for a cluster, and the 9P operating
system, from what I've read, was designed as a distributed system from
the start. It is a pity there seems to have been so little software
ported to run on it. I've also played a little with xcpu
(http://xcpu.org/) and may install that in the summer.
Cheers,
Roger
--
gentoo-user@lists.gentoo.org mailing list
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-04-28 12:46 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-11 13:49 [gentoo-user] [OT] NFS through a firewall Roger Mason
2008-04-11 14:38 ` Greg Bowser
2008-04-11 14:48 ` Etaoin Shrdlu
2008-04-28 10:49 ` Enrico Weigelt
2008-04-28 12:14 ` Roger Mason
2008-04-11 22:26 ` Hamie
2008-04-14 12:54 ` Roger Mason
2008-04-12 1:08 ` Dan Farrell
2008-04-14 12:52 ` Roger Mason
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox