On Wed, 2010-06-02 at 14:48 +0200, Ferenc Wagner wrote: > Guillaume Rousse <Guillaume.Rousse@xxxxxxxx> writes: > > > Le 02/06/2010 13:37, Ferenc Wagner a écrit : > > > >> I read that letting NFS4 through firewalls is quite easy and entails > >> opening up port 2049 of the server only. It indeed works. But our NFS > >> client has its own firewall as well, and that logs backward connection > >> attempts from low (665-1022) ports of the NFS4 server to port 59473 of > >> the client. These connections aren't let through, but I wonder if they > >> should be, and if it's NFS related at all... > > > > They are delegation callbacks. If those connections can't succeed, you > > wont' have delegation support. > > Thank you for the quick and clear explanation. Is there some "best > practice" available for firewalling delegation callbacks? If that's > infeasible, is there any way to explicitly disable delegation support in > the server, to suppress the useless trials? On the NFS client, you should set the 'nfs.callback_tcpport' kernel parameter to a known port number, then open that TCP port for incoming connections on your firewall. e.g. if you decide to open TCP port 2050, then you should add something like the following line to /etc/modprobe.d/options-nfs.conf: options nfs callback_tcpport=2050 Then either reboot the client, or unload, its nfs kernel module and reload it... Cheers Trond -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
