pete... some of the information i've seen indicates that you somehow have to specify the port that some of the nfs processes use on the nfs server. if this has to occur during startup, where else could it occur, but in the nfs startup script... a preleminary test shows that you can actually add a couple of lines to the \etc\rc.d\init.d\nfs script and that it appears to "lock" the input/output ports.. this would then allow you to create the iptables that would be solid, because the ports for the processes wouldn't be changing... thoughts/comments/criticisms/etc... -bruce -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx]On Behalf Of Pete Nesbitt Sent: Friday, July 02, 2004 12:33 PM To: bedouglas@xxxxxxxxxxxxx; General Red Hat Linux discussion list Subject: Re: nfs issue... On July 2, 2004 12:18 pm, bruce wrote: > pete.... > > ok.. it looks like i have it working for now... > > but it appears that i'm going to have to make some changes to the > /etc/rc.d/init.d/nfs script. it appears that the associated processes for > nfs have ports that need to be accounted for in the iptables. > > in particular the processes statd, mountd, quotad.... > > the iptables that i created for the nfs server is below... > > i'm going to need to know how to modify the nfs script to lock the ports > for the processes down, as these processes apparently use random ports... > but i'm not sure how to make the changes to the nfs script... > > > currently used iptable for nfs server... > # Firewall configuration written by lokkit > # Manual customization of this file is not recommended. > # Note: ifup-post will punch the current nameservers through the > # firewall; such entries will *not* be listed here. > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Lokkit-0-50-INPUT - [0:0] > > -A INPUT -j RH-Lokkit-0-50-INPUT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth0 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth1 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT > ### > ### nfs related stuff... > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 32768:32770 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 32768:32770 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT > > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT > COMMIT > > > > i've seen the following docs:. > <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > The other daemons, statd, mountd, lockd, and rquotad, will normally move > around to the first available port they are informed of by the portmapper. > > To force statd to bind to a particular port, use the -p portnum option. To > force statd to respond on a particular port, additionally use the -o > portnum option when starting it. > > (ok... but how do i find the process that starts the statd process. is this > the /etc/rc.d/init.d/nfs script?????? ) > > To force mountd to bind to a particular port use the -p portnum option. > > For example, to have statd broadcast of port 32765 and listen on port > 32766, and mountd listen on port 32767, you would type: > > # statd -p 32765 -o 32766 > # mountd -p 32767 > > > lockd is started by the kernel when it is needed. Therefore you need to > pass module options (if you have it built as a module) or kernel options to > force lockd to listen and respond only on certain ports. > > If you are using loadable modules and you would like to specify these > options in your /etc/modules.conf file add a line like this to the file: > > options lockd nlm_udpport=32768 nlm_tcpport=32768 > > > The above line would specify the udp and tcp port for lockd to be 32768. > > If you are not using loadable modules or if you have compiled lockd into > the kernel instead of building it as a module then you will need to pass it > an option on the kernel boot line. > > It should look something like this: > > vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768 > > > The port numbers do not have to match but it would simply add unnecessary > confusion if they didn't. > <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > my copy of the /etc.../nfs script doesn't have "statd"... should i add > it??? also, how do i know if i'm using "loadable modules", or if the kernel > had lockd compiled... and if i do need to pass the options in as boot > parameters, where/how would i do this... what file would i have to > edit...????? > Bruce, You shouldn't have to mess with the nfs init script. You should not need all the extra nfs entries in your iptables, but probably only need to add: -A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT t this point it may also mbe worth grabbing an iptables frontend like firestarter ( http://firestarter.sourceforge.net ) or build your own init script. I know you are going to have the fw set up properly soon, but this seems like a strange approach (editing this file), oh well, we got this far... -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list