Re: nfs mounting - pam considerations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/20/06, Margaret Doll <Margaret_Doll@xxxxxxxxx> wrote:
I am finding that FC3 requires me to allow more open ports for NFS to
work.  I have to modify iptables.  With  FC2, I did not have to do this.

With iptables off, NFS mounting works on FC3.

I have tcp port 111 opened now and am hunting for the additional
ports that I need.

fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Hi Again Margaret Doll!

Sounds like your hunting has been very good!

I note:

# From: http://www.troubleshooters.com/linux/nfs.htm
-----------------------------------------------------------------------------------------------------
5: If there are still problems, disable firewalls or log firewalls
Many supposed NFS problems are really problems with the firewall. In
order for your NFS server to successfully serve NFS shares, its
firewall must enable the following:

ICMP Type 3 packets
Port 111, the Portmap daemon
Port 2049, NFS
The port(s) assigned to the mountd daemon
The easiest way to see whether your problem resides in the firewall is
to completely open up the client and server firewalls and anything in
between. For details on how to manipulate iptables see the May 2003
Linux Productivity Magazine.

Note that opening up firewalls is appropriate only if you're
disconnected from the Internet, or if you're in a very un-hostile
environment. Even so, you should open up the firewalls for a very
short time (less than 5 minutes). If in doubt, instead of opening the
firewalls, insert logging statements in IPTables to show what packets
are being rejected during NFS mounts, and take action to enable those
ports. For details on IPTables diagnostic logging, see the May 2003
Linux Productivity Magazine.

The mountd daemon ports are especially problematic, because they're
normally assigned by the portmap daemon, and vary from NFS restart to
NFS restart. The /etc/rc.d/init.d/nfs script can be changed to nail
down the mountd daemon to a specific port, which then enables you to
pinhole a specific port. The A Somewhat Practical Server Firewall
article in the May 2003 Linux Productivity Magazine. explains how to
do this.

If for some reason you don't want to nail down the port, your only
other alternatives are to create a firewall enabling a huge range of
ports in the 30000's, or to create a master NFS restart script which
does the following:

Use the rcpinfo program to find all ports used by mountd.
Issue iptables commands to find the rule numbers for those ports.
Issue iptables commands to delete all rules on those ports.
Restart NFS
Use the rcpinfo program to find all ports used by mountd.
Issue iptables commands to insert rules for those ports where the
rules for those ports used to be.
One technique that might make that easier is to create a user defined
chain just to hold mountd rules. In that case you'd simply empty that
chain, restart NFS, use rpcinfo to find the port numbers, and add the
proper rules using the iptables -A command.

It bears repeating that the May 2003 Linux Productivity Magazine
details how to createean NFS friendly firewall.
-------------------------------------------------------------------------
You have probably made my future life easier, thanks!

Tod

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux