FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-01-2008, 12:55 AM
Tim
 
Default NFS versus the firewall

Something has bugged me for ages about trying to use NFS between
machines on the LAN. I've still got a central server running FC4,
because everything (FC 5 through to 7) can make use of it. But none of
the other OSs can do machine to machine NFS to each other (not FC5 to
FC5, FC6 to FC6, nor FC7 to FC7), even though I've ticked the
system-config-securitylevel box to allow NFS through the firewall, I
have to disable the firewall to do it.

Why does it give an NFS option if it doesn't work? All the other
service tick boxes work (if I tick WWW, I can webserve without any
firewall issues, etc.). Surely, given a firewall configurator with
preset options, all that two FC7 users need to do to NFS between each
other is to tick the NFS option? It seems extraordinarily badly
designed if it doesn't.

Yes, I have allowed NFS options in the SELinux configurator, as well.
And, no, I do NOT want to use Samba.

Any box can use the auto networking thingo where something like
less /net/server/home/tim/testfile automatically works. But try
accessing any of the newer than FC4 boxes, and it doesn't.

e.g. [tim@suspishus ~]$ ls /net/bigblack/home/tim/
ls: cannot access /net/bigblack/home/tim/: No such file or directory

With "bigblack" being the hostname of a FC7 box on the LAN. And, yes,
the name resolves. I have fully functioning local DNS, in both forward
and reverse directions.

--
(This computer runs FC7, my others run FC4, FC5 & FC6, in case that's
important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 01:19 AM
Charles Curley
 
Default NFS versus the firewall

On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
> Something has bugged me for ages about trying to use NFS between
> machines on the LAN.

http://www.charlescurley.com/nfs.html


--

Charles Curley /" ASCII Ribbon Campaign
Looking for fine software / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 06:59 AM
Tim
 
Default NFS versus the firewall

Tim:
>> Something has bugged me for ages about trying to use NFS between
>> machines on the LAN.

Charles Curley:
> http://www.charlescurley.com/nfs.html

I'll have a bash at that a bit later, but the question still stands
about what's the point of the NFS checkmark in the firewall
configurator, if it can't actually do the trick? They might as well
have named it "waste your time."

--
[tim@bigblack ~]$ uname -ipr
2.6.23.1-10.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 07:16 AM
"G.Wolfe Woodbury"
 
Default NFS versus the firewall

Charles Curley wrote:

On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:

Something has bugged me for ages about trying to use NFS between
machines on the LAN.


http://www.charlescurley.com/nfs.html



Charles has given a link to his fairly comprehensive method for getting
NFS-v[123] in an Iptables firewalled environment.


It should be noted that in the system-config-firewall command, they are
talking about NFS-v4 which os more like FTP in its use of ports. The
older protocol versions protocols are much harder to configure.


I took a different tack in solving the problem...
I decided that inside my firewall, on the private-IP lan (I use a
10.x.x.x set of addresses) I want to treat the locally addressed network
as a "trusted" network. Older versions of the firewall configurator
(prior to F6?) had a checkbox to select such an option; the current
s-c-firewall doesn't offer this.


What I did was insert a rule on the INPUT ruleset in front of the
RH-Firewall-INPUT call:


#/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
-I INPUT --src 10.0.1.0/24 -j ACCEPT #<-------Inserted
-I INPUT --in-interface lo --jump ACCEPT
:FORWARD ACCEPT [0:0]
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH. . .

The 10.0.1.0/24 should be replaced with the CIDR of your local network.
This preempts the Firewall chain if the address is in hte noted network.
Since the 10.x.x.x and other private address IP ranges are non-routable
(meaning they won't be passed through a router generally) it is
moderately safe to presume that such addresses originated inside your
border firewall, and that they may use any available services without
restrictions.



Once you edit the firewall rules in /etc/sysconfig/iptables (or do the
slightly more complicated steps necessary to get F8 s-c-f to deal with a
custom ruleset) older NFS versions will "automagically" work as long as
you have the exports file set correctly.


This is less than professionally paranoid in terms of security, but I
offer it as another method that solves more than the NFS problem.


--
Wolfe
<Drat, Thunderbird doesn't know about GNUpg keys!>
Hug Your Wolf!


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 04:06 PM
"Amadeus W.M."
 
Default NFS versus the firewall

On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:

> Tim:
>>> Something has bugged me for ages about trying to use NFS between
>>> machines on the LAN.
>
> Charles Curley:
>> http://www.charlescurley.com/nfs.html
>
> I'll have a bash at that a bit later, but the question still stands
> about what's the point of the NFS checkmark in the firewall
> configurator, if it can't actually do the trick? They might as well
> have named it "waste your time."
>
> --
> [tim@bigblack ~]$ uname -ipr
> 2.6.23.1-10.fc7 i686 i386
>
> Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
>
> Don't send private replies to my address, the mailbox is ignored. I read
> messages from the public lists.


The difficulty with nfs is that it uses a few auxiliary rpc services,
which by default get started on a random port. These random ports must be
open in the firewall, but because they are random, the iptables has no
idea what they might be.

The cure is to force these services to ALWAYS start on pre-assigned
ports, and open these ports in the firewall.

To this end, on the nfs server

1) Create a file /etc/sysconfig/nfs with the following contents:

RQUOTAD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
STATD_PORT=4003

The nfs config file already exists, but it's full of comments. Erase
everything and put these lines in, or just edit the appropriate lines in
the existing file. You can choose any ports available, not necessarily
4000-4003.


2) Open range 4000-4003 tcp and udp in iptables. This you can do
manually, but it can be done from system-config-firewall very easily and
intuitively.

3) Open port 111 (portmapper) and 2049 (nfs) as well.

Done.


Now, from any client (which should be running the automounter (autofs) by
default), you should be able to

cd /net/nfsserver/exported/partition


I have all this up and running, and it's pretty cool to watch video that
resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless
laptop that sits on top of my tv.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 09:48 PM
Richard England
 
Default NFS versus the firewall

Amadeus W.M. wrote:

On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:



Tim:


Something has bugged me for ages about trying to use NFS between
machines on the LAN.


Charles Curley:


http://www.charlescurley.com/nfs.html


I'll have a bash at that a bit later, but the question still stands
about what's the point of the NFS checkmark in the firewall
configurator, if it can't actually do the trick? They might as well
have named it "waste your time."

--
[tim@bigblack ~]$ uname -ipr
2.6.23.1-10.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored. I read
messages from the public lists.




The difficulty with nfs is that it uses a few auxiliary rpc services,
which by default get started on a random port. These random ports must be
open in the firewall, but because they are random, the iptables has no
idea what they might be.

The cure is to force these services to ALWAYS start on pre-assigned
ports, and open these ports in the firewall.

To this end, on the nfs server


1) Create a file /etc/sysconfig/nfs with the following contents:

RQUOTAD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
STATD_PORT=4003

The nfs config file already exists, but it's full of comments. Erase
everything and put these lines in, or just edit the appropriate lines in
the existing file. You can choose any ports available, not necessarily
4000-4003.



2) Open range 4000-4003 tcp and udp in iptables. This you can do
manually, but it can be done from system-config-firewall very easily and
intuitively.


3) Open port 111 (portmapper) and 2049 (nfs) as well.

Done.


Now, from any client (which should be running the automounter (autofs) by
default), you should be able to


cd /net/nfsserver/exported/partition


I have all this up and running, and it's pretty cool to watch video that
resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless
laptop that sits on top of my tv.




EXCELLENT! This is the same thing I've been struggling with and you've
nailed a solution for me.


This one goes in my log book.

This naturally leads me to the next question. What kind of a more
"hands off" solution can be arrived at so the less technically oriented
can configure NFS on their network. The randomness of the ports seems
to be a gotcha if you want to use a firewall with out customizing it.


Thanks for the solution.

~~R

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-01-2008, 10:26 PM
John Summerfield
 
Default NFS versus the firewall

Charles Curley wrote:

On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:

Something has bugged me for ages about trying to use NFS between
machines on the LAN.


http://www.charlescurley.com/nfs.html


That's nearly right, I think you found the same howto I did a while ago.

It's true that the ports used by NFS and associated services tend to
float and need to be fixed.


The correct, ootb way to do it I think I've already mentioned on this
list, and Amadeus W.M. has the right way for RHEL and its kin.


Tim, I think that the the "open NFS" checkbox should lock these ports. I
don't use the standard firewall tools; if it doesn't do that, then
perhaps you could bz it? It's a fair expectation that "allow access to
my NFS server" means do all things necessary to "allow access to my NFS
server."



--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-02-2008, 02:29 AM
"Mr.Scrooge"
 
Default NFS versus the firewall

I have been watching this one for just this reason. Thanks this seems to explain some issues i was
having with a file server i was attempting to access. I settled for samba in the end though it
nags at me to "settle" for anything. I will have to try this when i find a spare moment.

Happy New Year,
-Max
--- "Amadeus W.M." <amadeus84@verizon.net> wrote:


>
> The difficulty with nfs is that it uses a few auxiliary rpc services,
> which by default get started on a random port. These random ports must be
> open in the firewall, but because they are random, the iptables has no
> idea what they might be.
>
> The cure is to force these services to ALWAYS start on pre-assigned
> ports, and open these ports in the firewall.
>
> To this end, on the nfs server
>
> 1) Create a file /etc/sysconfig/nfs with the following contents:
>
> RQUOTAD_PORT=4000
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> STATD_PORT=4003
>
> The nfs config file already exists, but it's full of comments. Erase
> everything and put these lines in, or just edit the appropriate lines in
> the existing file. You can choose any ports available, not necessarily
> 4000-4003.
>
>
> 2) Open range 4000-4003 tcp and udp in iptables. This you can do
> manually, but it can be done from system-config-firewall very easily and
> intuitively.
>
> 3) Open port 111 (portmapper) and 2049 (nfs) as well.
>
> Done.
>
>
> Now, from any client (which should be running the automounter (autofs) by
> default), you should be able to
>
> cd /net/nfsserver/exported/partition
>
>
> I have all this up and running, and it's pretty cool to watch video that
> resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless
> laptop that sits on top of my tv.
>
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>



__________________________________________________ __________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 07:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org