-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig Nussel schrieb:
Simon Oliver wrote:
I have a new fileserver running SuSE 9.2. Amongst other services it exports NFS shares. I've used Yast to configure the firewall, checking the NFS option.
I have had problems where remote NFS clients either timeout trying to communicate with the server (ping/ssh work fine). After some messing (turn services on and off, flush iptables, etc) it now seems to work.
However I notice some dropped packets from one of the NFS clients:
Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00 SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00 TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0 x00 ACK RST URGP=0
Conntrack thinks those packets are invalid for some reason. Do you have the latest kernel available through YaST Online Update? There have been issues with tcp window tracking but I thought they were fixed already.
cu Ludwig
I had different problems with it. - - At first you have to bind nfs and/or the mountdeamon to a defined port (forgot which one gets dynamic port association). - - Afterwards you can set rules for that defined port. - - Now setup trusted_nets as you normally only want some ip's to access your nfs. A second problem may occur when using mixed kernel and standalone nfs & mount-daemon. Only use kernel with kerneldaemon and standalone with standalone daemon. Not vice versa! If there is a firewall on both machines you have to bind ports on both machines. The problem is in that context that after each reboot or restart of the service the portdefinition changes (I think of a bind_to_port option) as I set this up somewhere long upon a time. Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQjbn/ENg1DRVIGjBAQLlxAb+P0PFU+u6mjfKb2tvAvkpj1ZkdJ6vnbs6 3P9T4HdfnCU463BoLuJoBuyHHB/+tjXSEMf8Fyj8cEDIkIlhxrlxalMaFkL0vznL ux1fEsKXsVT0B/4+m80QDXpO4paUrLN3XCyTfqJZb/f3IntF/iyqEAjLXB6pFJDW nU/qQlpljmCDQdm8h+RTm4gPvfSQKw2XA7WHMJ86E4gZOPyog0zg/pFjcBmL/Rr3 dEnShjaeMPpzor2IEzolgR4qg1h9aE/lu9TywgBu3pq42/Rk+EeMq+4EqR3+fajt kv/DG763F9I= =7Edt -----END PGP SIGNATURE-----