Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] SuSE 9.2 + SuSEfirewall2 + nfs problems
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 14:49:49 +0100
  • Message-id: <4236E7FD.9040105@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Ludwig Nussel schrieb:

> Simon Oliver wrote:
>
>> I have a new fileserver running SuSE 9.2. Amongst other services
>> it exports NFS shares. I've used Yast to configure the firewall,
>> checking the NFS option.
>>
>> I have had problems where remote NFS clients either timeout
>> trying to communicate with the server (ping/ssh work fine).
>> After some messing (turn services on and off, flush iptables,
>> etc) it now seems to work.
>>
>> However I notice some dropped packets from one of the NFS
>> clients:
>>
>> Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0
>> OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00
>> SRC=130.88.xxx.yyy DST=130.88.xxx.zzz LEN=40 TOS =0x00 PREC=0x00
>> TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0
>> x00 ACK RST URGP=0
>
>
> Conntrack thinks those packets are invalid for some reason. Do you
> have the latest kernel available through YaST Online Update? There
> have been issues with tcp window tracking but I thought they were
> fixed already.
>
> cu Ludwig
>
I had different problems with it.

- - At first you have to bind nfs and/or the mountdeamon to a defined
port (forgot which one gets dynamic port association).
- - Afterwards you can set rules for that defined port.
- - Now setup trusted_nets as you normally only want some ip's to access
your nfs.

A second problem may occur when using mixed kernel and standalone nfs
& mount-daemon. Only use kernel with kerneldaemon and standalone with
standalone daemon. Not vice versa!
If there is a firewall on both machines you have to bind ports on both
machines. The problem is in that context that after each reboot or
restart of the service the portdefinition changes (I think of a
bind_to_port option) as I set this up somewhere long upon a time.

Reguards

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQD1AwUBQjbn/ENg1DRVIGjBAQLlxAb+P0PFU+u6mjfKb2tvAvkpj1ZkdJ6vnbs6
3P9T4HdfnCU463BoLuJoBuyHHB/+tjXSEMf8Fyj8cEDIkIlhxrlxalMaFkL0vznL
ux1fEsKXsVT0B/4+m80QDXpO4paUrLN3XCyTfqJZb/f3IntF/iyqEAjLXB6pFJDW
nU/qQlpljmCDQdm8h+RTm4gPvfSQKw2XA7WHMJ86E4gZOPyog0zg/pFjcBmL/Rr3
dEnShjaeMPpzor2IEzolgR4qg1h9aE/lu9TywgBu3pq42/Rk+EeMq+4EqR3+fajt
kv/DG763F9I=
=7Edt
-----END PGP SIGNATURE-----


< Previous Next >
Follow Ups