[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: NFS TCP Port
- From: Stephen Gardner <stephen-rhel uk org>
- To: "Red Hat Enterprise Linux 4 (Nahant) Discussion List" <nahant-list redhat com>
- Subject: Re: NFS TCP Port
- Date: Tue, 29 Mar 2005 00:15:45 +0100 (BST)
On Wed, 23 Mar 2005, Reuben D. Budiardja wrote:
I just upgraded by workstation to RHEL 4.
I have an NFS server running RHEL 3 with firewall. For this server, I open TCP
port 111 and UDP (ref: [1] ) on the firewall to allow NFS clients to connect.
Other machines running Redhat 9 can connect just fine with this setup to the
NFS server.
However, when I try to connect using my RHEL 4, the firewall didnot allow me
to get in. Checking the NFS server log and Redhat docs, I found that that
RHEL 4 NFS client tries to connect via TCP, on different ports every attempt.
How should I set the firewall if any new NFS connection use different TCP
port ?
If I completely remove my firewall, RHEL 4 NFS client can connect just find.
[1] I use shorewall as a front-end for iptables. NFS
Reuben
I'd suggest the easiest way to "fix" this problem is to use the "udp"
option in the flags you're using on your RHEL4 NFS client. You're right in
that your RHEL4 client is defaulting to NFS-over-TCP whereas previously
under RHEL3 it used UDP (as did the workable shorewall rules I'd guess).
Changing the NFS client options should at least re-produce the access your
system was attempting when it was running RHEL3 and be successful.
Handling the port agility of NFS isn't easy at the iptables level without
forcing the components of NFS to use specific ports
portmapper is static and therefore already handled with something like
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
in /etc/sysconfig/iptables (no source IPs specified there so it's still
pretty lose)
Forcing the various NFS services onto specific ports is possible although
it's hampered on RHEL3 NFS servers (not RHEL4 thought) by the inability to
specify the ports for rpc.rquotad in sysconfig until the resolution of
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128707 is
available to all.
You'd need the base NFS ports
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
in /etc/sysconfig/iptables
If you don't have quoted shares on your NFS server then something like
STATD_PORT=32765
STATD_OUTGOING_PORT=32766 # not strictly necessary i'd suspect
MOUNTD_PORT=32767
LOCKD_TCPPORT=32768
LOCKD_UDPPORT=32768
in /etc/sysconfig/nfs plus
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32765 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32765 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32767 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32767 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32768 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32768 -j ACCEPT
in /etc/sysconfig/iptables
You could use the slightly higher level approach of tcpwrappering portmap
with blocking specified in /etc/hosts.{allow,deny} as another
alternative.
Basically using your existing rules and forcing the client to UDP or using
tcpwrappered portmap are the easiest approaches.
Regards,
Stephen
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]