Dan wrote:
BandiPat wrote:
On Saturday 29 January 2005 01:38 am, Dan wrote:
==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection.
Hi Lee. I appreciate your feed back. Could you please be more specific. I didn't tick"Open port for firewall" - where do I find that in YAST? Regards, Dan
==============
Ok, start up YaST2 from the shell, like this: kdesu yast2
That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too.
Lee
Hi there Lee! I don't have the "Open port for firewall" option in my YAST. I have SuSE 9.0 installed.
:-(
I ran this command:
*> rpcinfo -p
output: * program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 961 status 100024 1 tcp 964 status 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100021 1 udp 25426 nlockmgr 100021 3 udp 25426 nlockmgr 100021 4 udp 25426 nlockmgr 100021 1 tcp 20249 nlockmgr 100021 3 tcp 20249 nlockmgr 100021 4 tcp 20249 nlockmgr 100005 1 udp 976 mountd 100005 1 tcp 979 mountd 100005 2 udp 976 mountd 100005 2 tcp 979 mountd 100005 3 udp 976 mountd 100005 3 tcp 979 mountd
so I tried opening all of the above mentioned ports and still no go. I can only get a connection if I turn the firewall off.
This is a tough situation since the nfs daemons use portmapper which assigns them the next available open port at service startup. Every time the service restarts it will use a different port. In the past I've just kept opening up ports based on my log of dropped packets. This is an ugly solution at best. I've recently been trying to find a better way but I haven't been completely successful. Here's where I'm at: Current method 1. Insert a logging rule in front of any "drop" rule using the same parameters and a log rule at the end of any table that has a default policy of drop. This way you always know when the firewall drops a packet. 2. Try to connect from the client. Check the log and see what port was blocked. Open port and repeat. New Method I've learned that in recent kernels the nfs daemons can be forced to use a pre-selected port using the -p xxxx parameter. Once the daemon is locked down to a specific port simply open that port and you're done (in theory). This link explains how to do this: http://nfs.sourceforge.net/nfs-howto/ Look in this section: http://nfs.sourceforge.net/nfs-howto/security.html#FIREWALLS Now, the reality is that SuSE uses modified versions of these services and it won't work exactly as described. I'm still playing around with this but so far I've only been successful with the mountd daemon. If anyone else has been successful using -p to assign ports I'd love to know how you did it. Jeff