NFS and firewall

Rick Stevens rstevens at vitalstream.com
Tue Aug 30 17:59:08 UTC 2005 

brad.mugleston at comcast.net wrote:
> I'm trying to set NFS up on my home computers and from going
> through the HOW-TO and other write up's it should be working, but
> it's not.  I can ping from machine to machine, I'm using IP
> address to allow everything to work as suggested in the writeups
> (for instance /etc/exposts is /home
> 192.168.1.0/255.255.255.0(rw)).
> 
> I'm getting an error message
> 
> rpcinfo:can't contact portmapper: RPC:Remote system error- No
> route to host
> 
> Searching on the web it sounds like I may have a firewall set up
> to restrictive but as far as I can tell I've every firewall down.
> 
> So, how can I tell the status of a firewall

A "no route to host" error generally indicates a routing issue.  Can
you "ping" the NFS server?  If not, check the routes (this includes
such mundane things as netmasks and routers) and see what's going on.

As far as firewalls are concerned, just do "iptables -L -n".  If you
don't get a list of rules, your internal firewall is not running.  With
external firewalls, you'll have to manually check them.

Unfortunately, NFS is a difficult thing to set up cleanly on a firewall
because the portmapper changes port numbers used for the various
services on the fly.  This is especially nasty if you're using UDP
transport for NFS (the default).  You can specify TCP transport if
your NFS server can run NFS V3 or V4.  In fact, for heavy NFS activity,
I'd recommend it.

You can find out which ports your NFS server is using for the various
services by getting on the NFS server and using "rpcinfo -p".  Provided
you can fix the route issue "rpcinfo -p <name-of-NFS-server>" can
get the same information remotely.  You can then tailor the firewall
based on that, but be aware that the port numbers used will likely
change whenever the NFS server is rebooted.  That's the nature of the
beast.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-     Make it idiot proof and someone will make a better idiot.      -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list