firewals package and NFS
Hi! I've got a little problem with the firewals package. Everything works fine but now I want to import filesystems from another computer in the LAN but it seems to me that the firewal is denying all TCP/IP packages which should be send to the network. So my question is: Which services must I allow in rc.firewall.conf that NFS packages get through the firewall? (I'm using SUSE Linux 6.3 with Kernel NFS) Thanx Benjamin Jungbluth
I don't use the firewals package but almost all ipchains firewalls I have seen have specific port blocks for NFS and samba and microsoft SQL but this should not apply to your LAN look at the actuall script and see whether it blocks them out. On Sun, 30 Jul 2000, root wrote:
Date: Sun, 30 Jul 2000 23:15:12 +0200 From: root <dustbin@bing.net> To: suse-security@suse.com Subject: [suse-security] firewals package and NFS
Hi! I've got a little problem with the firewals package. Everything works fine but now I want to import filesystems from another computer in the LAN but it seems to me that the firewal is denying all TCP/IP packages which should be send to the network. So my question is: Which services must I allow in rc.firewall.conf that NFS packages get through the firewall? (I'm using SUSE Linux 6.3 with Kernel NFS)
Thanx Benjamin Jungbluth
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Noah ksemat@eahd.or.ug
Hi, First, if you are searching for port numbers, they are available in /etc/services. Second, if you are not sure if your firewall is blocking something, enable logging for DENIED packages. This helps much in most cases. Third, nfs may be on port 2049 - or an port 1110 (please verify that in your /etc/services). ksemat@wawa.eahd.or.ug schrieb:
I don't use the firewals package but almost all ipchains firewalls I have seen have specific port blocks for NFS and samba and microsoft SQL but this should not apply to your LAN look at the actuall script and see whether it blocks them out. On Sun, 30 Jul 2000, root wrote:
Date: Sun, 30 Jul 2000 23:15:12 +0200 From: root <dustbin@bing.net> To: suse-security@suse.com Subject: [suse-security] firewals package and NFS
Hi! I've got a little problem with the firewals package. Everything works fine but now I want to import filesystems from another computer in the LAN but it seems to me that the firewal is denying all TCP/IP packages which should be send to the network. So my question is: Which services must I allow in rc.firewall.conf that NFS packages get through the firewall? (I'm using SUSE Linux 6.3 with Kernel NFS)
Thanx Benjamin Jungbluth
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Noah ksemat@eahd.or.ug
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Stefan Bauer
Hi,
First, if you are searching for port numbers, they are available in /etc/services.
Second, if you are not sure if your firewall is blocking something, enable logging for DENIED packages. This helps much in most cases.
Third, nfs may be on port 2049 - or an port 1110 (please verify that in your /etc/services).
NFS is an rpc service. This implies that the port numbers are subject to changes / are not necessarily the same every time the service starts. Take a look at the output from `rpcinfo -p' and the manpages. It is not only port 2049 that has to be taken into account. Filter rules for NFS traffic can thereby only be dynamic rules, set up automatically or manually. This might be very difficult to handle, which is why most admins chose to not let the traffic pass in any way. In addition, the amount of code involved in NFS and RPC is by far not neglectable and complicated. The likelyness of finding security-related bugs may be higher in bigger packages than in others.
ksemat@wawa.eahd.or.ug schrieb:
I don't use the firewals package but almost all ipchains firewalls I have seen have specific port blocks for NFS and samba and microsoft SQL but this should not apply to your LAN look at the actuall script and see whether it blocks them out. On Sun, 30 Jul 2000, root wrote:
Date: Sun, 30 Jul 2000 23:15:12 +0200 From: root <dustbin@bing.net> To: suse-security@suse.com Subject: [suse-security] firewals package and NFS
Hi! I've got a little problem with the firewals package. Everything works fine but now I want to import filesystems from another computer in the LAN but it seems to me that the firewal is denying all TCP/IP packages which should be send to the network. So my question is: Which services must I allow in rc.firewall.conf that NFS packages get through the firewall? (I'm using SUSE Linux 6.3 with Kernel NFS)
Thanx Benjamin Jungbluth Noah ksemat@eahd.or.ug
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
On Mon, Jul 31, 2000 at 13:28 +0200, Stefan Bauer wrote:
Third, nfs may be on port 2049 - or an port 1110 (please verify that in your /etc/services).
Doesn't NFS work via RPC? If so, it can be listening anywhere and the "multiplexer" portmap on port 111 is the only entrance there. Maybe /etc/rpc gives clues, but rpcinfo(8) is the only and definitive answer. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
The NFS client is supposed to get the port from the portmapper running on the server machine. Some NFS clients don't use the port number supplied by the portmapper, they ignore what the portmapper says and look for the NFS service on port 2049. You can get the portmapper to tell you which services are registered and which port they are listening on with the following command: % rpcinfo -p server.host.name Steven
participants (6)
-
Gerhard Sittig -
ksemat@wawa.eahd.or.ug -
Roman Drahtmueller -
root -
Stefan Bauer -
steven@void.org