On Fri, 2009-05-08 at 08:03 +0200, Frank Steiner wrote: > Tom Talpey wrote > > > > In particular, if you do NLM file locking, there is a server callback (NLM > > "granted") which the server may choose to issue via UDP. If this callback > > is not seen by the client due to firewall blocking, there may be a 30-second > > pause before a client retry unblocks the caller. > > > > Also, the NSM (status monitor) exchanges are often performed via UDP. > > Again, if you are using NLM and the server reboots, the client may not > > become aware of this promptly, and lock reclaim will be affected. > > > > OTOH, if your applications don't use locking on the NFS mounts, you'll > > probably be fine. > > We do use locking on nfs mounts, so I wonder what that would mean for the > firewall. Currently I see connections from the NFS server *from* port 700 > and 111 (we've fixed mountd port to 700) to (it seems) arbitrary udp > ports on the NFS clients. > > Would that be enough to allow those? Or could the source ports be arbitrary > with NLM, too? I.e., would we have to open all udp traffic from the NFS > servers to all the NFS clients? Most NFS servers allow you to pin the ports used by the lockd service. In Linux, the kernel boot parameters lockd.nlm_tcpport and lockd.nlm_udpport will suffice to do it for you (see linux/Documentation/kernel-parameters.txt). Trond ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ NFS maillist - NFS@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/nfs _______________________________________________ Please note that nfs@xxxxxxxxxxxxxxxxxxxxx is being discontinued. Please subscribe to linux-nfs@xxxxxxxxxxxxxxx instead. http://vger.kernel.org/vger-lists.html#linux-nfs -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
