SuSE 9.2 + SuSEfirewall2 + nfs problems
I have a new fileserver running SuSE 9.2. Amongst other services it exports NFS shares. I've used Yast to configure the firewall, checking the NFS option. I have had problems where remote NFS clients either timeout trying to communicate with the server (ping/ssh work fine). After some messing (turn services on and off, flush iptables, etc) it now seems to work. However I notice some dropped packets from one of the NFS clients: Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0 These are occurring on average about once a minute, but the timings vary - there can be gaps of up to eight minutes and then again they may be as close as a few seconds apart. rpcinfo indicates the following for port 2049: 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100227 3 udp 2049 nfs_acl 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100227 3 tcp 2049 nfs_acl There are no noticeable affects on the remote client! Any ideas what is happening? Regards -- Simon Oliver
Simon Oliver wrote:
I have a new fileserver running SuSE 9.2. Amongst other services it exports NFS shares. I've used Yast to configure the firewall, checking the NFS option.
I have had problems where remote NFS clients either timeout trying to communicate with the server (ping/ssh work fine). After some messing (turn services on and off, flush iptables, etc) it now seems to work.
However I notice some dropped packets from one of the NFS clients:
Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0
Conntrack thinks those packets are invalid for some reason. Do you have the latest kernel available through YaST Online Update? There have been issues with tcp window tracking but I thought they were fixed already. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig Nussel schrieb:
Simon Oliver wrote:
I have a new fileserver running SuSE 9.2. Amongst other services it exports NFS shares. I've used Yast to configure the firewall, checking the NFS option.
I have had problems where remote NFS clients either timeout trying to communicate with the server (ping/ssh work fine). After some messing (turn services on and off, flush iptables, etc) it now seems to work.
However I notice some dropped packets from one of the NFS clients:
Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0
Conntrack thinks those packets are invalid for some reason. Do you have the latest kernel available through YaST Online Update? There have been issues with tcp window tracking but I thought they were fixed already.
cu Ludwig
I had different problems with it. - - At first you have to bind nfs and/or the mountdeamon to a defined port (forgot which one gets dynamic port association). - - Afterwards you can set rules for that defined port. - - Now setup trusted_nets as you normally only want some ip's to access your nfs. A second problem may occur when using mixed kernel and standalone nfs & mount-daemon. Only use kernel with kerneldaemon and standalone with standalone daemon. Not vice versa! If there is a firewall on both machines you have to bind ports on both machines. The problem is in that context that after each reboot or restart of the service the portdefinition changes (I think of a bind_to_port option) as I set this up somewhere long upon a time. Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQjbn/ENg1DRVIGjBAQLlxAb+P0PFU+u6mjfKb2tvAvkpj1ZkdJ6vnbs6 3P9T4HdfnCU463BoLuJoBuyHHB/+tjXSEMf8Fyj8cEDIkIlhxrlxalMaFkL0vznL ux1fEsKXsVT0B/4+m80QDXpO4paUrLN3XCyTfqJZb/f3IntF/iyqEAjLXB6pFJDW nU/qQlpljmCDQdm8h+RTm4gPvfSQKw2XA7WHMJ86E4gZOPyog0zg/pFjcBmL/Rr3 dEnShjaeMPpzor2IEzolgR4qg1h9aE/lu9TywgBu3pq42/Rk+EeMq+4EqR3+fajt kv/DG763F9I= =7Edt -----END PGP SIGNATURE-----
Philippe Vogel wrote:
[...] I had different problems with it.
- - At first you have to bind nfs and/or the mountdeamon to a defined port (forgot which one gets dynamic port association). - - Afterwards you can set rules for that defined port.
SuSEfirewall2 supports dynamic portmapper assigned ports, you can just specify e.g. FW_SERVICES_EXT_RPC="mountd nfs" and it will automatically open the required ports. You need to restart SuSEfirewall2 every time the ports change of course. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0
Conntrack thinks those packets are invalid for some reason. Do you have the latest kernel available through YaST Online Update? There have been issues with tcp window tracking but I thought they were fixed already.
I have kernel 2.6.8-24.11-smp (the latest available I believe) Regards -- Simon Oliver
Simon Oliver wrote:
Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0
Conntrack thinks those packets are invalid for some reason. Do you have the latest kernel available through YaST Online Update? There have been issues with tcp window tracking but I thought they were fixed already.
I have kernel 2.6.8-24.11-smp (the latest available I believe)
That's strange. I'd suggest you to start from scratch and then post your /etc/sysconfig/SuSEfirewall2 file. Just copy /var/adm/fillup-templates/sysconfig.SuSEfirewall2 to /etc/sysconfig/SuSEfirewall2 to restore the default configuration file. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (3)
-
Ludwig Nussel
-
Philippe Vogel
-
Simon Oliver