Charles Curley wrote:
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between
machines on the LAN.
http://www.charlescurley.com/nfs.html
Charles has given a link to his fairly comprehensive method for getting
NFS-v[123] in an Iptables firewalled environment.
It should be noted that in the system-config-firewall command, they are
talking about NFS-v4 which os more like FTP in its use of ports. The
older protocol versions protocols are much harder to configure.
I took a different tack in solving the problem...
I decided that inside my firewall, on the private-IP lan (I use a
10.x.x.x set of addresses) I want to treat the locally addressed network
as a "trusted" network. Older versions of the firewall configurator
(prior to F6?) had a checkbox to select such an option; the current
s-c-firewall doesn't offer this.
What I did was insert a rule on the INPUT ruleset in front of the
RH-Firewall-INPUT call:
#/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
-I INPUT --src 10.0.1.0/24 -j ACCEPT #<-------Inserted
-I INPUT --in-interface lo --jump ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH. . .
The 10.0.1.0/24 should be replaced with the CIDR of your local network.
This preempts the Firewall chain if the address is in hte noted network.
Since the 10.x.x.x and other private address IP ranges are non-routable
(meaning they won't be passed through a router generally) it is
moderately safe to presume that such addresses originated inside your
border firewall, and that they may use any available services without
restrictions.
Once you edit the firewall rules in /etc/sysconfig/iptables (or do the
slightly more complicated steps necessary to get F8 s-c-f to deal with a
custom ruleset) older NFS versions will "automagically" work as long as
you have the exports file set correctly.
This is less than professionally paranoid in terms of security, but I
offer it as another method that solves more than the NFS problem.
--
Wolfe
<Drat, Thunderbird doesn't know about GNUpg keys!>
Hug Your Wolf!
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list