On Wed, 2003-05-14 at 00:32, Togan Muftuoglu wrote:
Option 3.
use it from /etc/sysconfig/scripts/SuSEfirewall2-custom
FW_ALLOW_NFS=""
# These ports will be opened for access by the given host # (showmount -e seems to use tcp ports around 1200 damn... allow_nfs_ports_in() { echo " $1,tcp,111 $1,udp,111 $1,udp,2049 $1,udp,600:1399 $1,udp,2100:2499 " }
if [ -n "$FW_ALLOW_NFS" -a "$FW_ALLOW_NFS" != no ]; then for host in $FW_ALLOW_NFS; do addnet=( `allow_nfs_ports_in $host` ) FW_TRUSTED_NETS="$FW_TRUSTED_NETS ${addnet[@]}" done echo "FW_TRUSTED_NETS=$FW_TRUSTED_NETS" fi
Issues: It allows those ports on all interfaces, not just the one you want - if you only have one, fine. Those udp ports are a guess - security won't be much worse by just allowing 600:6000. If your mounts suddenlyhang (or the mount times out) check this. It doesn't allow for your MAC address checking.
From what I'm seeing in my messages log file, NFS is acting very "behaved." My NFS server sits on the DMZ (because it used to host a Quake 3 server), and my firewall is a client. It would seem that no matter what happens, the NFS server sits on port 2049, and all clients always use 800. I've never seen NFS clients always use the same port
This is VERY interesting, and I may stick that in my script. What I have done so far is follow this advice: # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXT_UDP ...). like that. I *like* that, don't get me wrong, but I don't understand why it's happening. The bottom line is that this (excerpt) is enough to make it work on my network: FW_FORWARD="0/0,0/0,udp,2049 0/0,0/0,udp,800" I suppose I might be a little nervous opening that up to ALL networks, but I didn't want to write 4 separate rules when the fact is that the firewall script is going to make sure that someone's going to have to be *on* the machine -- and not just touch those ports from external -- before they can access the service, and by then, I'm toast anyway. The weird thing is that if I take out the 600:1023 range from FW_SERVICES_EXT_UDP, it stops working, but it does NOT show any dropped packets in the messages log file (and I'm logging all dropped packets). So I don't understand the failure there. In fact, if I do a tcpdump, I can see packets going back and forth, so they are, in fact, not getting dropped, but it still doesn't work. Very strange. The other weird thing is that I can leave off the "0/0,0/0,udp,800" above and everything will still work. I will get messages in the log about those dropped packets, but everything acts fine. I have no idea what this means either. I suppose I should read a book about NFS. I hate NFS. It's the only thing I've seen that can consistently lock up a machine so hard as to need a reboot (because of misconfiguration, I'll admit). The same machine also has samba on it. Perhaps I should just be doing all of this over samba. It's much more resilient to lockups than NFS... Thanks once again! dk