Firewall headaches with NFS
HI there all. Snowy weather over here in Denmark. What's the weather like where you are? I have been trying to setup a NFS server and a NFS client this afternoon. Two linux machines. I can get it to work via YAST on both machines but only if I DEACTIVATE the firewall on the server. (there is no firewall running on the client, though I'd to set that up as well at some point.) I have been surfing the net trying to find out what ports to open and have discovered that the NFS ports are dynamic. I tried opening ports 111, 2049 as well as 2100:2499 and 600:1399 but still without success. The client can only connect to the server if the firewall is off. Any ideas? Sorry, this is probably just a stupid newbie question! Hope you can help. Regards, Dan
I haven't actually tested this, but on my (SuSE 9.2) system the /etc/sysconfig/SuSEfirewall2 file exhibited the following difference after YaST was instructed to adjust the firewall for system use as an NFS server: < FW_SERVICES_EXT_RPC="" ---
FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status"
On Friday 28 January 2005 12:37 pm, Dan wrote:
HI there all. Snowy weather over here in Denmark. What's the weather like where you are?
I have been trying to setup a NFS server and a NFS client this afternoon. Two linux machines. I can get it to work via YAST on both machines but only if I DEACTIVATE the firewall on the server. (there is no firewall running on the client, though I'd to set that up as well at some point.) I have been surfing the net trying to find out what ports to open and have discovered that the NFS ports are dynamic. I tried opening ports 111, 2049 as well as 2100:2499 and 600:1399 but still without success. The client can only connect to the server if the firewall is off.
Any ideas? Sorry, this is probably just a stupid newbie question! Hope you can help.
Regards, Dan ==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection. regards, Lee -- --- KMail v1.7.2 --- SuSE Linux Pro v9.2 --- Registered Linux User #225206 "Don't let the fear of striking out keep you from playing the game!"
BandiPat wrote:
On Friday 28 January 2005 12:37 pm, Dan wrote:
HI there all. Snowy weather over here in Denmark. What's the weather like where you are?
I have been trying to setup a NFS server and a NFS client this afternoon. Two linux machines. I can get it to work via YAST on both machines but only if I DEACTIVATE the firewall on the server. (there is no firewall running on the client, though I'd to set that up as well at some point.) I have been surfing the net trying to find out what ports to open and have discovered that the NFS ports are dynamic. I tried opening ports 111, 2049 as well as 2100:2499 and 600:1399 but still without success. The client can only connect to the server if the firewall is off.
Any ideas? Sorry, this is probably just a stupid newbie question! Hope you can help.
Regards, Dan
==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection.
Hi Lee. I appreciate your feed back. Could you please be more specific. I didn't tick"Open port for firewall" - where do I find that in YAST? Regards, Dan
On Saturday 29 January 2005 01:38 am, Dan wrote:
==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection.
Hi Lee. I appreciate your feed back. Could you please be more specific. I didn't tick"Open port for firewall" - where do I find that in YAST? Regards, Dan ==============
Ok, start up YaST2 from the shell, like this: kdesu yast2 That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too. Lee -- --- KMail v1.7.2 --- SuSE Linux Pro v9.2 --- Registered Linux User #225206 "Don't let the fear of striking out keep you from playing the game!"
BandiPat wrote:
On Saturday 29 January 2005 01:38 am, Dan wrote:
==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection.
Hi Lee. I appreciate your feed back. Could you please be more specific. I didn't tick"Open port for firewall" - where do I find that in YAST? Regards, Dan
==============
Ok, start up YaST2 from the shell, like this: kdesu yast2
That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too.
Lee
Hi there Lee! I don't have the "Open port for firewall" option in my YAST. I have SuSE 9.0 installed. :-( I ran this command: *> rpcinfo -p output: * program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 961 status 100024 1 tcp 964 status 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100021 1 udp 25426 nlockmgr 100021 3 udp 25426 nlockmgr 100021 4 udp 25426 nlockmgr 100021 1 tcp 20249 nlockmgr 100021 3 tcp 20249 nlockmgr 100021 4 tcp 20249 nlockmgr 100005 1 udp 976 mountd 100005 1 tcp 979 mountd 100005 2 udp 976 mountd 100005 2 tcp 979 mountd 100005 3 udp 976 mountd 100005 3 tcp 979 mountd so I tried opening all of the above mentioned ports and still no go. I can only get a connection if I turn the firewall off.
Dan wrote:
BandiPat wrote:
On Saturday 29 January 2005 01:38 am, Dan wrote:
==========
Dan, When you setup the NFS server & client, did you check the entry for "Open port for firewall"?? I think that is suppose to take care of any firewall problems when running, doesn't it? This is all handled within YaST2 setup of both. I ask, because the one I most recently setup give me the same problems, until I checked that selection.
Hi Lee. I appreciate your feed back. Could you please be more specific. I didn't tick"Open port for firewall" - where do I find that in YAST? Regards, Dan
==============
Ok, start up YaST2 from the shell, like this: kdesu yast2
That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too.
Lee
Hi there Lee! I don't have the "Open port for firewall" option in my YAST. I have SuSE 9.0 installed.
:-(
I ran this command:
*> rpcinfo -p
output: * program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 961 status 100024 1 tcp 964 status 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100021 1 udp 25426 nlockmgr 100021 3 udp 25426 nlockmgr 100021 4 udp 25426 nlockmgr 100021 1 tcp 20249 nlockmgr 100021 3 tcp 20249 nlockmgr 100021 4 tcp 20249 nlockmgr 100005 1 udp 976 mountd 100005 1 tcp 979 mountd 100005 2 udp 976 mountd 100005 2 tcp 979 mountd 100005 3 udp 976 mountd 100005 3 tcp 979 mountd
so I tried opening all of the above mentioned ports and still no go. I can only get a connection if I turn the firewall off.
This is a tough situation since the nfs daemons use portmapper which assigns them the next available open port at service startup. Every time the service restarts it will use a different port. In the past I've just kept opening up ports based on my log of dropped packets. This is an ugly solution at best. I've recently been trying to find a better way but I haven't been completely successful. Here's where I'm at: Current method 1. Insert a logging rule in front of any "drop" rule using the same parameters and a log rule at the end of any table that has a default policy of drop. This way you always know when the firewall drops a packet. 2. Try to connect from the client. Check the log and see what port was blocked. Open port and repeat. New Method I've learned that in recent kernels the nfs daemons can be forced to use a pre-selected port using the -p xxxx parameter. Once the daemon is locked down to a specific port simply open that port and you're done (in theory). This link explains how to do this: http://nfs.sourceforge.net/nfs-howto/ Look in this section: http://nfs.sourceforge.net/nfs-howto/security.html#FIREWALLS Now, the reality is that SuSE uses modified versions of these services and it won't work exactly as described. I'm still playing around with this but so far I've only been successful with the mountd daemon. If anyone else has been successful using -p to assign ports I'd love to know how you did it. Jeff
Jeffrey Laramie wrote:
This is a tough situation since the nfs daemons use portmapper which assigns them the next available open port at service startup. Every time the service restarts it will use a different port. In the past I've just kept opening up ports based on my log of dropped packets. This is an ugly solution at best. I've recently been trying to find a better way but I haven't been completely successful. Here's where I'm at:
Current method 1. Insert a logging rule in front of any "drop" rule using the same parameters and a log rule at the end of any table that has a default policy of drop. This way you always know when the firewall drops a packet.
2. Try to connect from the client. Check the log and see what port was blocked. Open port and repeat.
You might want to test the latest SuSEfirewall2 and see if this helps. There has been a lot that's changed since 9.0, especially in this area. Check it out at ftp://ftp.oregonstate.edu/pub/suse/people/lnussel/SuSEfirewall2/SuSEfirewall2-3.3-6.noarch.rpm Disclaimer, these are not officially supported packages, so if it does not work in some way your feedback would be appreciated I'm sure. I have been using it for a few weeks now on 9.2 and it seems to work very well. HTH -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
On Saturday 29 January 2005 12:28 pm, Dan wrote:
BandiPat wrote: [...]
==============
Ok, start up YaST2 from the shell, like this: kdesu yast2
That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too.
Lee
Hi there Lee! I don't have the "Open port for firewall" option in my YAST. I have SuSE 9.0 installed.
:-( [...] so I tried opening all of the above mentioned ports and still no go. I can only get a connection if I turn the firewall off. ============
Ok, Dan, One more try, but let's attack the problem through the firewall instead. Again, open YaST2, using the method I described before and go to the Security and Users>Firewall module. This helps you setup SuSEfirewall2 and should provide you with the tools to get the NFS ports open. Referring back to my 9.0 Admin manual, I couldn't find anything in the NFS section, but looked at the firewall section. That's where I remembered one could setup for different services, etc. to give others access to certain things. Now I can't confirm this will help, as I haven't or needed to go in this direction. I think it should help though as not that much has changed here from 9.0 to 9.2. Time to update? ;o) luck, Lee -- --- KMail v1.7.2 --- SuSE Linux Pro v9.2 --- Registered Linux User #225206 "Don't let the fear of striking out keep you from playing the game!"
BandiPat wrote:
On Saturday 29 January 2005 12:28 pm, Dan wrote:
BandiPat wrote:
[...]
==============
Ok, start up YaST2 from the shell, like this: kdesu yast2
That will put you in the root mode automatically without having to enter your root password for each module you want to use. Once it opens, go to Network Services> NFS Client or Server. Start the one you want to setup. Your next window should have the Open port for firewall. Also, you can add the directories you want to work with from your server side. This is Client of course. You need to specify the directories on your server first though. You will also find the open port for firewall there too.
Lee
Hi there Lee! I don't have the "Open port for firewall" option in my YAST. I have SuSE 9.0 installed.
:-(
[...]
so I tried opening all of the above mentioned ports and still no go. I can only get a connection if I turn the firewall off.
============
Ok, Dan, One more try, but let's attack the problem through the firewall instead. Again, open YaST2, using the method I described before and go to the Security and Users>Firewall module. This helps you setup SuSEfirewall2 and should provide you with the tools to get the NFS ports open. Referring back to my 9.0 Admin manual, I couldn't find anything in the NFS section, but looked at the firewall section. That's where I remembered one could setup for different services, etc. to give others access to certain things. Now I can't confirm this will help, as I haven't or needed to go in this direction.
HI Lee. Thanks for your input. NFS is not one of the services that can be allowed in YAST. I have actually given up and switched my SuSEfirewall off now :-( I have a hardware firewall in the router, so I guess that I will just have to relie upon that. Regards, Dan
I think it should help though as not that much has changed here from 9.0 to 9.2. Time to update? ;o)
luck, Lee
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan wrote: <snip> | I have actually given up and switched my SuSEfirewall off now :-( | I have a hardware firewall in the router, so I guess that I will just | have to relie upon that. | Regards, | Dan Hi Dan, Have you heard of Guarddog? It's a GUI firewall builder (a front end to ipchains and iptables) that's really a lot more fun to work/experiment/play around with than the raw tables and confusing config files, themselves -- at least for dislxi... er, dysxl... er, dislxics... ahem... dyslexics like me :-) It has great documentation, too. And Packman has an rpm for SuSE 9.0 right here: http://packman.links2linux.com/index.php4?action=402&vn=3 good luck! - - Carl - -- ____________________________________________________________________ C. E. Hartung Business Development & Support Services http://www.cehartung.com/ carlh@cehartung.com Dover Foxcroft, Maine, USA Public Key #0x68396713 Reg. Linux User #350527 http://counter.li.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB/psyusxgymg5ZxMRApd4AJ40APMj/Rf251Z1zVaONmpWpeqHgwCfbLCd kwpxHf8Di11lGUA7o8m/qyo= =BYxI -----END PGP SIGNATURE-----
Carl E. Hartung wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dan wrote: <snip> | I have actually given up and switched my SuSEfirewall off now :-( | I have a hardware firewall in the router, so I guess that I will just | have to relie upon that. | Regards, | Dan
Hi Dan,
Have you heard of Guarddog? It's a GUI firewall builder (a front end to ipchains and iptables) that's really a lot more fun to work/experiment/play around with than the raw tables and confusing config files, themselves -- at least for dislxi... er, dysxl... er, dislxics... ahem... dyslexics like me :-) It has great documentation, too. And Packman has an rpm for SuSE 9.0 right here:
http://packman.links2linux.com/index.php4?action=402&vn=3
good luck!
Thanks! I will be looking into it and trying our that package. Dan
- - Carl
- -- ____________________________________________________________________ C. E. Hartung Business Development & Support Services http://www.cehartung.com/ carlh@cehartung.com Dover Foxcroft, Maine, USA Public Key #0x68396713 Reg. Linux User #350527 http://counter.li.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB/psyusxgymg5ZxMRApd4AJ40APMj/Rf251Z1zVaONmpWpeqHgwCfbLCd kwpxHf8Di11lGUA7o8m/qyo= =BYxI -----END PGP SIGNATURE-----
participants (6)
-
BandiPat -
Carl E. Hartung -
Dan -
Gary Gapinski -
Jeffrey Laramie -
Joe Morris (NTM)