Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] SuSE 9.2 + SuSEfirewall2 + nfs problems
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 14:49:49 +0100
  • Message-id: <4236E7FD.9040105@xxxxxxxxxx>
Hash: SHA1

Ludwig Nussel schrieb:

> Simon Oliver wrote:
>> I have a new fileserver running SuSE 9.2. Amongst other services
>> it exports NFS shares. I've used Yast to configure the firewall,
>> checking the NFS option.
>> I have had problems where remote NFS clients either timeout
>> trying to communicate with the server (ping/ssh work fine).
>> After some messing (turn services on and off, flush iptables,
>> etc) it now seems to work.
>> However I notice some dropped packets from one of the NFS
>> clients:
>> Mar 15 09:38:55 zzz kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0
>> OUT= MAC=00:0d:56: b8:5a:f4:08:00:69:0d:9a:2e:08:00
>> LEN=40 TOS =0x00 PREC=0x00
>> TTL=60 ID=12095 DF PROTO=TCP SPT=757 DPT=2049 WINDOW=32761 RES=0
>> x00 ACK RST URGP=0
> Conntrack thinks those packets are invalid for some reason. Do you
> have the latest kernel available through YaST Online Update? There
> have been issues with tcp window tracking but I thought they were
> fixed already.
> cu Ludwig
I had different problems with it.

- - At first you have to bind nfs and/or the mountdeamon to a defined
port (forgot which one gets dynamic port association).
- - Afterwards you can set rules for that defined port.
- - Now setup trusted_nets as you normally only want some ip's to access
your nfs.

A second problem may occur when using mixed kernel and standalone nfs
& mount-daemon. Only use kernel with kerneldaemon and standalone with
standalone daemon. Not vice versa!
If there is a firewall on both machines you have to bind ports on both
machines. The problem is in that context that after each reboot or
restart of the service the portdefinition changes (I think of a
bind_to_port option) as I set this up somewhere long upon a time.



- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird -


< Previous Next >
Follow Ups