NFS

NFS

[ligp]

[-- Attachment #1: Type: text/plain, Size: 127 bytes --]

hi,
My NFS (Kernel 2.4.18) do not work.
error information: RPC failure; Port mapping failure, NFS can't receive.

thanks!

[-- Attachment #2: Type: text/html, Size: 564 bytes --]

nfs

[Rob Verduijn]

Hi there,

What would be the rule setting I need to mount a remote nfs share when I
am using connection tracking and a default DROP policy?

Thanx
Rob

Re: nfs

[Sven Riedel]

On Tue, Aug 05, 2003 at 08:36:59AM +0200, Rob Verduijn wrote:
> What would be the rule setting I need to mount a remote nfs share when I
> am using connection tracking and a default DROP policy?

First, since NFS uses RPCs you need to know what ports rpc.mountd,
rpc.statd and maybe rpc.lockd are running on. If you have influence over
the server, try setting the ports explictly (invoke the daemons with the
-p flag. Works with statd and mountd, lockd is a bit more tricky). 

Otherwise the ports are
allocated dynamically and the client has to ask the remote portmapper
where the daemons are listening. Any rules in this case are only valid
as long as the rpc-services on the nfs-server aren't restarted.

You'll have to allow the following ports:
udp/2049: nfs 
tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up
udp/111: portmap/sunrpc
tcp/111: portmap/sunrpc
udp/<rpc.statd>
tcp/<rpc.statd>
udp/<rpc.mountd>
tcp/<rpc.mountd>
and maybe:
udp/<rpc.lockd>
tcp/<rpc.lockd>

Regs,
Sven


-- 
Sven Riedel                      sr@gimp.org
Liebigstr. 38 
30163 Hannover                  "Python is merely Perl for those who
                                 prefer Pascal to C" (anon)

Re: nfs

[Rob Verduijn]

Hi there,

I do have some influence over the nfs server, (it's my backup server) so
that wouldn't be a big problem.

My second question would be what the IP table rule settings would be on
the server :)




On Tue, 2003-08-05 at 10:17, Sven Riedel wrote:
> On Tue, Aug 05, 2003 at 08:36:59AM +0200, Rob Verduijn wrote:
> > What would be the rule setting I need to mount a remote nfs share when I
> > am using connection tracking and a default DROP policy?
> 
> First, since NFS uses RPCs you need to know what ports rpc.mountd,
> rpc.statd and maybe rpc.lockd are running on. If you have influence over
> the server, try setting the ports explictly (invoke the daemons with the
> -p flag. Works with statd and mountd, lockd is a bit more tricky). 
> 
> Otherwise the ports are
> allocated dynamically and the client has to ask the remote portmapper
> where the daemons are listening. Any rules in this case are only valid
> as long as the rpc-services on the nfs-server aren't restarted.
> 
> You'll have to allow the following ports:
> udp/2049: nfs 
> tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up
> udp/111: portmap/sunrpc
> tcp/111: portmap/sunrpc
> udp/<rpc.statd>
> tcp/<rpc.statd>
> udp/<rpc.mountd>
> tcp/<rpc.mountd>
> and maybe:
> udp/<rpc.lockd>
> tcp/<rpc.lockd>
> 
> Regs,
> Sven
> 

Re: nfs

[Chris Wilson]

Hi Rob,

> My second question would be what the IP table rule settings would be on
> the server :)

> > udp/2049: nfs
> > tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up
> > udp/111: portmap/sunrpc
> > tcp/111: portmap/sunrpc
> > udp/<rpc.statd>
> > tcp/<rpc.statd>

  iptables -A FORWARD -s <source> -d <dest> -p udp --dport 2049 -j ACCEPT
  iptables -A FORWARD -s <source> -d <dest> -p tcp --dport 2049 -j ACCEPT
  iptables -A FORWARD -s <source> -d <dest> -p udp --dport 111  -j ACCEPT

Et cetera, for each connection which needs to be allowed, from the list 
which Sven gave you.

> > First, since NFS uses RPCs you need to know what ports rpc.mountd,
> > rpc.statd and maybe rpc.lockd are running on. If you have influence over
> > the server, try setting the ports explictly (invoke the daemons with the
> > -p flag. Works with statd and mountd, lockd is a bit more tricky). 

You can disable locking on the client by mounting with the "-o nolock" 
flag, which removes the need to fix a port for lockd or allow connections 
to it.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: nfs

[Ulises Hernandez Pino]

On Tue, 2003-08-05 at 01:36, Rob Verduijn wrote:
> Hi there,
> 
> What would be the rule setting I need to mount a remote nfs share when I
> am using connection tracking and a default DROP policy?
> 

Hi Rob... I had the same problem, and I found a very good explication in
this link: http://www.lowth.com/LinWiz/nfs_help.html


Ulises Hernandez Pino
Red de Datos - Universidad del Cauca

nfs

[will supat]

[-- Attachment #1: Type: text/plain, Size: 441 bytes --]

I set up nfs on redhat linux 9. I created dir and mount locally, It's work.
But when I try to mount remotely from another redhat linux 9, I got error
message RPC: connection refuse. I can ping both ways. I also replace host
name with the IP address to eliminate DNS problem. But I still get the same
error message. Nfsd, mountd and portmapper are running.

Please suggest what else I need to do to resolve this error message.

 

Thank you


[-- Attachment #2: Type: text/html, Size: 2050 bytes --]

nfs

[Redeeman]

i have read that nfs dont work with reiserfs, but even though that, i
made an export, and it works just perfect, is it dangoures somehow?
-- 
Regards, Redeeman
()  ascii ribbon campaign - against html e-mail 
/\                        - against microsoft attachments

Re: nfs

[Hendrik Visage]

On Sat, Nov 15, 2003 at 10:23:08PM +0100, Redeeman wrote:
> i have read that nfs dont work with reiserfs, but even though that, i
> made an export, and it works just perfect, is it dangoures somehow?

Several moons ago, there were problems with reiserfs and NFS, as
reiserfs didn't (still don't?) have the notion of inodes, which is
used in NFS for filehandle information. there were a quick work around
which didn't work that well, but the current 2.4.x kernels and Reiserfs 3.6
works sofar without troubles.


Hendrik

Re: nfs

[Hans Reiser]

Dan Oglesby wrote:

> Hendrik Visage wrote:
>
>> On Sat, Nov 15, 2003 at 10:23:08PM +0100, Redeeman wrote:
>>
>>> i have read that nfs dont work with reiserfs, but even though that, i
>>> made an export, and it works just perfect, is it dangoures somehow?
>>
>>
>>
>> Several moons ago, there were problems with reiserfs and NFS, as
>> reiserfs didn't (still don't?) have the notion of inodes, which is
>> used in NFS for filehandle information. there were a quick work around
>> which didn't work that well, but the current 2.4.x kernels and 
>> Reiserfs 3.6
>> works sofar without troubles.
>>
>>
>> Hendrik
>>
>
> I export several ReiserFS filesystems via NFS, and have had no issues 
> accessing or manipulating data via NFS.  This is with kernel 2.4.21 
> and ReiserFS 3.6.
>
> --Dan
>
>
>
The described problems were more like years ago than moons ago, however, 
there were some kernels a few moons ago that had NFS problems not due to 
reiserfs code just to keep things in a nice state of chaos for the 
users.....

-- 
Hans

Re: nfs

[Dan Oglesby]

Hendrik Visage wrote:
> On Sat, Nov 15, 2003 at 10:23:08PM +0100, Redeeman wrote:
> 
>>i have read that nfs dont work with reiserfs, but even though that, i
>>made an export, and it works just perfect, is it dangoures somehow?
> 
> 
> Several moons ago, there were problems with reiserfs and NFS, as
> reiserfs didn't (still don't?) have the notion of inodes, which is
> used in NFS for filehandle information. there were a quick work around
> which didn't work that well, but the current 2.4.x kernels and Reiserfs 3.6
> works sofar without troubles.
> 
> 
> Hendrik
> 

I export several ReiserFS filesystems via NFS, and have had no issues 
accessing or manipulating data via NFS.  This is with kernel 2.4.21 and 
ReiserFS 3.6.

--Dan

Re: nfs

[Eric Whiting]

2.4 kernels with reiserfs 3.5 will still have NFS troubles. Just make sure you
do not have this combination.  

eric


Hans Reiser wrote:
> >>
> >> Several moons ago, there were problems with reiserfs and NFS, as
> >> reiserfs didn't (still don't?) have the notion of inodes, which is
> >> used in NFS for filehandle information. there were a quick work around
> >> which didn't work that well, but the current 2.4.x kernels and
> >> Reiserfs 3.6
> >> works sofar without troubles.
> >
> >
> The described problems were more like years ago than moons ago, however,
> there were some kernels a few moons ago that had NFS problems not due to
> reiserfs code just to keep things in a nice state of chaos for the
> users.....
> 
> --
> Hans

Re: nfs

[Redeeman]

the "oldest" kernel i am running is 2.4.22, with reiserfs 3.6, and the
newest is now 2.6test9 with reiserfs 3.6 too, and everything works like
a charm! i hope reiser4 will do so ;D

On Mon, 2003-11-17 at 17:38, Eric Whiting wrote:
> 2.4 kernels with reiserfs 3.5 will still have NFS troubles. Just make sure you
> do not have this combination.  
> 
> eric
> 
> 
> Hans Reiser wrote:
> > >>
> > >> Several moons ago, there were problems with reiserfs and NFS, as
> > >> reiserfs didn't (still don't?) have the notion of inodes, which is
> > >> used in NFS for filehandle information. there were a quick work around
> > >> which didn't work that well, but the current 2.4.x kernels and
> > >> Reiserfs 3.6
> > >> works sofar without troubles.
> > >
> > >
> > The described problems were more like years ago than moons ago, however,
> > there were some kernels a few moons ago that had NFS problems not due to
> > reiserfs code just to keep things in a nice state of chaos for the
> > users.....
> > 
> > --
> > Hans
-- 
Regards, Redeeman
()  ascii ribbon campaign - against html e-mail 
/\                        - against microsoft attachments

Re: Nfs

[Ina Flanagan]

[-- Attachment #1.1: Type: text/html, Size: 1211 bytes --]

[-- Attachment #1.2: lotter.png --]
[-- Type: image/png, Size: 13044 bytes --]

[-- Attachment #2: Type: text/plain, Size: 315 bytes --]

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

[-- Attachment #3: Type: text/plain, Size: 140 bytes --]

_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

NFS

[Andrew Holway]

[-- Attachment #1: Type: text/plain, Size: 139 bytes --]

So how much of this got implemented? Whats the story with NFSv4?
https://www.nsa.gov/research/_files/selinux/papers/nfsv3.pdf

ta,

Andrew

[-- Attachment #2: Type: text/html, Size: 311 bytes --]

Re: NFS

[James Carter]

On 06/19/2015 03:09 PM, Andrew Holway wrote:
> So how much of this got implemented? Whats the story with NFSv4?
> https://www.nsa.gov/research/_files/selinux/papers/nfsv3.pdf
>

The v3 work was experimental and there was no real way to upstream it in a 
compatible way.

Dave Quigley worked with the IETF on SELinux labeled NFS support for NFS 4.2 and 
it has been available since Fedora 20. This allows each file to have their own 
SELinux label on the server, but enforcement is only handled by the client.


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: NFS

[Andrew Holway]

[-- Attachment #1: Type: text/plain, Size: 820 bytes --]

>
>
>> The v3 work was experimental and there was no real way to upstream it in
> a compatible way.
>
> Dave Quigley worked with the IETF on SELinux labeled NFS support for NFS
> 4.2 and it has been available since Fedora 20. This allows each file to
> have their own SELinux label on the server, but enforcement is only handled
> by the client.
>
>
Does it work? :)



>
> --
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>


-- 
Otter Networks UG
http://otternetworks.de
fon: +49 30 54 88 5197
Gotenstraße 17
10829 Berlin

[-- Attachment #2: Type: text/html, Size: 1354 bytes --]

Re: NFS

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1302 bytes --]



On 06/19/2015 04:19 PM, Andrew Holway wrote:
>
>
>     The v3 work was experimental and there was no real way to upstream
>     it in a compatible way.
>
>     Dave Quigley worked with the IETF on SELinux labeled NFS support
>     for NFS 4.2 and it has been available since Fedora 20. This allows
>     each file to have their own SELinux label on the server, but
>     enforcement is only handled by the client.
>
>
> Does it work? :)
>
Yes as long as your client and server support the protocol.  Currently I
know Fedora and RHEL7 do.
>
>
>
>     --
>     James Carter <jwcart2@tycho.nsa.gov>
>     National Security Agency
>     _______________________________________________
>     Selinux mailing list
>     Selinux@tycho.nsa.gov
>     To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>     To get help, send an email containing "help" to
>     Selinux-request@tycho.nsa.gov.
>
>
>
> --
> Otter Networks UG
> http://otternetworks.de
> fon: +49 30 54 88 5197
> Gotenstraße 17
> 10829 Berlin
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


[-- Attachment #2: Type: text/html, Size: 3092 bytes --]