SuSEfirewall2 and NFS mounts
Hi All, Just wondered anyone had any thoughts on how to use of SuSEfirewall with drives mounted using NFS. My experience is that once the firewall is activated I am unable to mount my home area and other exported drives. I am basically configuring the firewall through yast with the option to protect against internal networks unselected. Thanks Eddie
The 03.09.03 at 15:51, eddie wrote:
Just wondered anyone had any thoughts on how to use of SuSEfirewall with drives mounted using NFS. My experience is that once the firewall is
For SuSEfirewall2: FW_SERVICES_INT_TCP="sunrpc sd ident" FW_SERVICES_INT_UDP="sunrpc 1028 nfs" More or less.
activated I am unable to mount my home area and other exported drives. I am
You just have to notice in the log what gets rejected as you activate nfs client on the other side, and enable those ports in the firewall. And/or use iptraf/ethereal/whatever to track it.
basically configuring the firewall through yast with the option to protect against internal networks unselected.
I don't use yast for that job; only once, then, my turn. -- Cheers, Carlos Robinson
* eddie; <eddie.howson@dsl.pipex.com> on 03 Sep, 2003 wrote:
Just wondered anyone had any thoughts on how to use of SuSEfirewall with drives mounted using NFS. My experience is that once the firewall is activated I am unable to mount my home area and other exported drives.
This should work FW_ALLOW_NFS="" # These ports will be opened for access by the given host # (showmount -e seems to use tcp ports around 1200 damn... allow_nfs_ports_in() { echo " $1,tcp,111 $1,udp,111 $1,udp,2049 $1,udp,600:1399 $1,udp,2100:2499 " } if [ -n "$FW_ALLOW_NFS" -a "$FW_ALLOW_NFS" != no ]; then for host in $FW_ALLOW_NFS; do addnet=( `allow_nfs_ports_in $host` ) FW_TRUSTED_NETS="$FW_TRUSTED_NETS ${addnet[@]}" done echo "FW_TRUSTED_NETS=$FW_TRUSTED_NETS" fi Issues: It allows those ports on all interfaces, not just the one you want - if you only have one, fine. Those udp ports are a guess - security won't be much worse by just allowing 600:6000. If your mounts suddenlyhang (or the mount times out) check this. It doesn't allow for your MAC address checking. This info comes from a user reply from suse-security mailinglist. Your other options are binding a specific port for mountd, statd
basically configuring the firewall through yast with the option to protect against internal networks unselected.
What you are trying to achive is not what YaST2 interface is designed for. That interface is for simple setups. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (3)
-
Carlos E. R.
-
eddie
-
Togan Muftuoglu