* David Krider;
Now I just need to figure out how to get NFS working through the firewall...
Well although I would not recommended having NFS on your firewall machine here are couple of things ( if you search the archieves you can find them in detail) that I am planning to have in the upcoming version of the unofficial SuSEfirewall2 document. All credit goes to the people how submitted the answers. <options> Option I. Under the following URL you find one description how to tunnel nfs in ssh. This is afaik the easiest approach to use nfs in a secure way (not only if you have a firewall, it might even be a good replacement for unencrypted nfs in your lan - as long as you are not 100% sure who has access to the network): http://www.math.ualberta.ca/imaging/snfs/ Option 2. What about tunnelling NFS-over-IP-over-PPP-over-SSH-through-the-firewall, as shown in http://www.jfranken.de/homepages/johannes/vortraege/ssh2.en.html#ToC12 As a nice side-effect, your nfs traffic would be compressed and enciphered, and ssh itself can easily tunnel through other protocols like https (see http://www.jfranken.de/homepages/johannes/vortraege/ssh3.en.html#ToC6 ). Option 3. use it from /etc/sysconfig/scripts/SuSEfirewall2-custom FW_ALLOW_NFS="" # These ports will be opened for access by the given host # (showmount -e seems to use tcp ports around 1200 damn... allow_nfs_ports_in() { echo " $1,tcp,111 $1,udp,111 $1,udp,2049 $1,udp,600:1399 $1,udp,2100:2499 " } if [ -n "$FW_ALLOW_NFS" -a "$FW_ALLOW_NFS" != no ]; then for host in $FW_ALLOW_NFS; do addnet=( `allow_nfs_ports_in $host` ) FW_TRUSTED_NETS="$FW_TRUSTED_NETS ${addnet[@]}" done echo "FW_TRUSTED_NETS=$FW_TRUSTED_NETS" fi Issues: It allows those ports on all interfaces, not just the one you want - if you only have one, fine. Those udp ports are a guess - security won't be much worse by just allowing 600:6000. If your mounts suddenlyhang (or the mount times out) check this. It doesn't allow for your MAC address checking. If you want finer control, you have to generate iptables rules yourself, at the correct point in the SuSEfirewall2 script. You'll probably find that you need to edit the script itself. </options> -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx