* nfs @ 2003-08-05 6:36 Rob Verduijn 2003-08-05 8:17 ` nfs Sven Riedel 2003-08-07 0:58 ` nfs Ulises Hernandez Pino 0 siblings, 2 replies; 5+ messages in thread From: Rob Verduijn @ 2003-08-05 6:36 UTC (permalink / raw) To: netfilter Hi there, What would be the rule setting I need to mount a remote nfs share when I am using connection tracking and a default DROP policy? Thanx Rob ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nfs 2003-08-05 6:36 nfs Rob Verduijn @ 2003-08-05 8:17 ` Sven Riedel 2003-08-05 9:02 ` nfs Rob Verduijn 2003-08-07 0:58 ` nfs Ulises Hernandez Pino 1 sibling, 1 reply; 5+ messages in thread From: Sven Riedel @ 2003-08-05 8:17 UTC (permalink / raw) To: Rob Verduijn; +Cc: netfilter On Tue, Aug 05, 2003 at 08:36:59AM +0200, Rob Verduijn wrote: > What would be the rule setting I need to mount a remote nfs share when I > am using connection tracking and a default DROP policy? First, since NFS uses RPCs you need to know what ports rpc.mountd, rpc.statd and maybe rpc.lockd are running on. If you have influence over the server, try setting the ports explictly (invoke the daemons with the -p flag. Works with statd and mountd, lockd is a bit more tricky). Otherwise the ports are allocated dynamically and the client has to ask the remote portmapper where the daemons are listening. Any rules in this case are only valid as long as the rpc-services on the nfs-server aren't restarted. You'll have to allow the following ports: udp/2049: nfs tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up udp/111: portmap/sunrpc tcp/111: portmap/sunrpc udp/<rpc.statd> tcp/<rpc.statd> udp/<rpc.mountd> tcp/<rpc.mountd> and maybe: udp/<rpc.lockd> tcp/<rpc.lockd> Regs, Sven -- Sven Riedel sr@gimp.org Liebigstr. 38 30163 Hannover "Python is merely Perl for those who prefer Pascal to C" (anon) ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nfs 2003-08-05 8:17 ` nfs Sven Riedel @ 2003-08-05 9:02 ` Rob Verduijn 2003-08-05 9:49 ` nfs Chris Wilson 0 siblings, 1 reply; 5+ messages in thread From: Rob Verduijn @ 2003-08-05 9:02 UTC (permalink / raw) To: sr; +Cc: netfilter Hi there, I do have some influence over the nfs server, (it's my backup server) so that wouldn't be a big problem. My second question would be what the IP table rule settings would be on the server :) On Tue, 2003-08-05 at 10:17, Sven Riedel wrote: > On Tue, Aug 05, 2003 at 08:36:59AM +0200, Rob Verduijn wrote: > > What would be the rule setting I need to mount a remote nfs share when I > > am using connection tracking and a default DROP policy? > > First, since NFS uses RPCs you need to know what ports rpc.mountd, > rpc.statd and maybe rpc.lockd are running on. If you have influence over > the server, try setting the ports explictly (invoke the daemons with the > -p flag. Works with statd and mountd, lockd is a bit more tricky). > > Otherwise the ports are > allocated dynamically and the client has to ask the remote portmapper > where the daemons are listening. Any rules in this case are only valid > as long as the rpc-services on the nfs-server aren't restarted. > > You'll have to allow the following ports: > udp/2049: nfs > tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up > udp/111: portmap/sunrpc > tcp/111: portmap/sunrpc > udp/<rpc.statd> > tcp/<rpc.statd> > udp/<rpc.mountd> > tcp/<rpc.mountd> > and maybe: > udp/<rpc.lockd> > tcp/<rpc.lockd> > > Regs, > Sven > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nfs 2003-08-05 9:02 ` nfs Rob Verduijn @ 2003-08-05 9:49 ` Chris Wilson 0 siblings, 0 replies; 5+ messages in thread From: Chris Wilson @ 2003-08-05 9:49 UTC (permalink / raw) To: Rob Verduijn; +Cc: sr, netfilter Hi Rob, > My second question would be what the IP table rule settings would be on > the server :) > > udp/2049: nfs > > tcp/2049: nfs, if you're using nfs over tcp, nfs v3 and up > > udp/111: portmap/sunrpc > > tcp/111: portmap/sunrpc > > udp/<rpc.statd> > > tcp/<rpc.statd> iptables -A FORWARD -s <source> -d <dest> -p udp --dport 2049 -j ACCEPT iptables -A FORWARD -s <source> -d <dest> -p tcp --dport 2049 -j ACCEPT iptables -A FORWARD -s <source> -d <dest> -p udp --dport 111 -j ACCEPT Et cetera, for each connection which needs to be allowed, from the list which Sven gave you. > > First, since NFS uses RPCs you need to know what ports rpc.mountd, > > rpc.statd and maybe rpc.lockd are running on. If you have influence over > > the server, try setting the ports explictly (invoke the daemons with the > > -p flag. Works with statd and mountd, lockd is a bit more tricky). You can disable locking on the client by mounting with the "-o nolock" flag, which removes the need to fix a port for lockd or allow connections to it. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 | ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nfs 2003-08-05 6:36 nfs Rob Verduijn 2003-08-05 8:17 ` nfs Sven Riedel @ 2003-08-07 0:58 ` Ulises Hernandez Pino 1 sibling, 0 replies; 5+ messages in thread From: Ulises Hernandez Pino @ 2003-08-07 0:58 UTC (permalink / raw) To: Rob Verduijn; +Cc: netfilter On Tue, 2003-08-05 at 01:36, Rob Verduijn wrote: > Hi there, > > What would be the rule setting I need to mount a remote nfs share when I > am using connection tracking and a default DROP policy? > Hi Rob... I had the same problem, and I found a very good explication in this link: http://www.lowth.com/LinWiz/nfs_help.html Ulises Hernandez Pino Red de Datos - Universidad del Cauca ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-08-07 0:58 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-08-05 6:36 nfs Rob Verduijn 2003-08-05 8:17 ` nfs Sven Riedel 2003-08-05 9:02 ` nfs Rob Verduijn 2003-08-05 9:49 ` nfs Chris Wilson 2003-08-07 0:58 ` nfs Ulises Hernandez Pino
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox