How to allow fragmented packets through SuSEfirewall2
My goal here is to allow NFS/NIS traffic through the SuSE Firewall on a 9.1 system.
I did find a useful resource at http://www.lowth.com/LinWiz/nfs_help.html but it is a little out of date (SuSE 7.3). This recommends tying down nfsd (and associated services) to specific ports so that less holes need to be opened in the firewall.
Tying down the ports seems quite messy according to the guide, and I'm worried that an automatic update could overwrite one of the altered files and cause something to stop working.
I decided to read through the sysconfig files and init.d scripts in order to work out the best way to open holes in the firewall for NFS and NIS. At this point I noticed that in 9.1 SuSE don't provide any mechanism to assign static ports to rpc services such as rpc.mountd. Instead they simply scan the ports (rpcinfo -p) to build a service-to-port mapping and dynamically add firewall rules for the ports associated with selected services (FW_SERVICES_EXT_RPC in /etc/sysconfig/SuSEfirewall2). This is not only a more elegant solution but also solves the problem where an rpc service has no mechanism for binding to a specific port. Well done SuSE! But I now have another problem, due to my lack of experience with configuring SuSEfirewall2... It is my understanding that as well as opening the appropriate rpc ports and port 111 in the firewall, it is also necessary to allow fragmented through. Under RHEL I do this by adding a rule to the start of the INPUT chain: iptables -I INPUT -f -j ACCEPT. However, I'm not how to accomplish this with SuSEfirewall2. I've looked through /etc/sysconfig/SuSEfirewall2 and can't see any easy was to allow fragmented packets through. I've scanned /sbin/SuSEfirewall2 and can't find any reference to fragmented packets there either. I guess I have to create a custom rule via the file specified by FW_CUSTOMRULES - but how to do that? So I have two questions: - If SuSE recognise the need to open up rpc ports for NFS why do they not provide the functionality to allow packet fragments through? - Can anyone help me solve this problem right now? Thanks -- Simon Oliver
Torsdag den 12. august 2004 11:03 skrev Simon Oliver:
My goal here is to allow NFS/NIS traffic through the SuSE Firewall on a 9.1 system.
I did find a useful resource at http://www.lowth.com/LinWiz/nfs_help.html but it is a little out of date (SuSE 7.3). This recommends tying down nfsd (and associated services) to specific ports so that less holes need to be opened in the firewall.
Tying down the ports seems quite messy according to the guide, and I'm worried that an automatic update could overwrite one of the altered files and cause something to stop working.
I decided to read through the sysconfig files and init.d scripts in order to work out the best way to open holes in the firewall for NFS and NIS. At this point I noticed that in 9.1 SuSE don't provide any mechanism to assign static ports to rpc services such as rpc.mountd. Instead they simply scan the ports (rpcinfo -p) to build a service-to-port mapping and dynamically add firewall rules for the ports associated with selected services (FW_SERVICES_EXT_RPC in /etc/sysconfig/SuSEfirewall2). This is not only a more elegant solution but also solves the problem where an rpc service has no mechanism for binding to a specific port.
Well done SuSE!
But I now have another problem, due to my lack of experience with configuring SuSEfirewall2...
It is my understanding that as well as opening the appropriate rpc ports and port 111 in the firewall, it is also necessary to allow fragmented through. Under RHEL I do this by adding a rule to the start of the INPUT chain: iptables -I INPUT -f -j ACCEPT.
However, I'm not how to accomplish this with SuSEfirewall2. I've looked through /etc/sysconfig/SuSEfirewall2 and can't see any easy was to allow fragmented packets through. I've scanned /sbin/SuSEfirewall2 and can't find any reference to fragmented packets there either. I guess I have to create a custom rule via the file specified by FW_CUSTOMRULES - but how to do that?
So I have two questions:
- If SuSE recognise the need to open up rpc ports for NFS why do they not provide the functionality to allow packet fragments through?
- Can anyone help me solve this problem right now?
Well this link may interest you !!! Johan
Thanks
-- Simon Oliver
Torsdag den 12. august 2004 11:03 skrev Simon Oliver:
My goal here is to allow NFS/NIS traffic through the SuSE Firewall on a 9.1 system.
I did find a useful resource at http://www.lowth.com/LinWiz/nfs_help.html but it is a little out of date (SuSE 7.3). This recommends tying down nfsd (and associated services) to specific ports so that less holes need to be opened in the firewall.
Tying down the ports seems quite messy according to the guide, and I'm worried that an automatic update could overwrite one of the altered files and cause something to stop working.
I decided to read through the sysconfig files and init.d scripts in order to work out the best way to open holes in the firewall for NFS and NIS. At this point I noticed that in 9.1 SuSE don't provide any mechanism to assign static ports to rpc services such as rpc.mountd. Instead they simply scan the ports (rpcinfo -p) to build a service-to-port mapping and dynamically add firewall rules for the ports associated with selected services (FW_SERVICES_EXT_RPC in /etc/sysconfig/SuSEfirewall2). This is not only a more elegant solution but also solves the problem where an rpc service has no mechanism for binding to a specific port.
Well done SuSE!
But I now have another problem, due to my lack of experience with configuring SuSEfirewall2...
It is my understanding that as well as opening the appropriate rpc ports and port 111 in the firewall, it is also necessary to allow fragmented through. Under RHEL I do this by adding a rule to the start of the INPUT chain: iptables -I INPUT -f -j ACCEPT.
However, I'm not how to accomplish this with SuSEfirewall2. I've looked through /etc/sysconfig/SuSEfirewall2 and can't see any easy was to allow fragmented packets through. I've scanned /sbin/SuSEfirewall2 and can't find any reference to fragmented packets there either. I guess I have to create a custom rule via the file specified by FW_CUSTOMRULES - but how to do that?
So I have two questions:
- If SuSE recognise the need to open up rpc ports for NFS why do they not provide the functionality to allow packet fragments through?
- Can anyone help me solve this problem right now?
Here's the link: http://susefaq.sourceforge.net/guides/fw_manual.html
Thanks
-- Simon Oliver
participants (2)
-
Johan Nielsen -
Simon Oliver