Re: OT - NFS through firewalls

To: debian-user@lists.debian.org
Subject: Re: OT - NFS through firewalls
From: Christopher Swingley <cswingle@iarc.uaf.edu>
Date: Thu, 28 Mar 2002 12:46:18 -0900
Message-id: <[🔎] 20020328214618.GA2774@iarc.uaf.edu>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.44.0203281309540.14789-100000@miles.shadlen.org>
References: <[🔎] 20020328171255.GA652@iarc.uaf.edu> <[🔎] Pine.LNX.4.44.0203281309540.14789-100000@miles.shadlen.org>

David,

* David Wright <ichbin@shadlen.org> [2002-Mar-28 12:19 AKST]:
> With the setup you describe, I don't believe you should even be able to
> ping the NFS server from the clients, much less mount a volume. Try it!

I can ping the NFS server, and mount the NFS drive.  Both work because
the clients have the internal firewall interface as their gateway
address, and the firewall is re-writing all packets from behind the
firewall to look like they come from the firewall's external interface.

So the clients request a mount from the server, through the firewall,
and the NFS server replies to the firewall machine (which the 
firewall's iptables routes to the client making the request).

I've mounted the same NFS partition on all three clients successfully.
And I can even edit a file simultaneously on both machines.

> The trouble is that there is no way for the NFS server to address a
> client; so while a packet might get to from a client, there is no way it
> can send a response.

The NFS server sends a response to the firewall machine on a particular
port (which is different for each client) and iptables takes these
packets and routes them to the proper client.  It doesn't sound
possible, but I'm watching it right now.

> Also, I don't really understand why you want this firewall. Is the NFS box
> the only thing on that side? Then why not run iptables directly on the NFS
> box?

The NFS box is one of many machines that have real IP addresses, and are
connected to the Internet.  The clients are cluster nodes joined
together by a ``master node'' which is labelled as the firewall machine
on my previous diagram.

I'm doing this because I don't want to have to assign real (and limited)
IP addresses to the cluster nodes, and because the cluster nodes need to
be really friendly with each other (MPI uses rsh type protocols to
transfer data) I want them to be protected from the world at large.

But my users have large amounts of data on several NFS RAID arrays that
are outside the cluster.  I could either mount these NFS drives on the
master (firewall) node and then NFS mount the NFS-mounted drives on each
client, or mount the NFS drives directly (through the firewall).  I'm
wondering if either method is viable.  If they aren't, the third option
is to put a large ``temporary'' disk on the master (firewall) node,
mount the external RAID arrays only on the master and tell users they
need to copy their data from the RAID arrays onto the temp space on the
master.  Lot's o' copying / deleting / etc.

Does that make more sense?

Thanks,

Chris
-- 
Christopher S. Swingley           phone: 907-474-2689
Computer Systems Manager          email: cswingle@iarc.uaf.edu
IARC -- Frontier Program          GPG and PGP keys at my web page:
University of Alaska Fairbanks    www.frontier.iarc.uaf.edu/~cswingle


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: OT - NFS through firewalls
  - From: "Adam Majer" <adamm@galacticasoftware.com>

References:
- OT - NFS through firewalls
  - From: Christopher Swingley <cswingle@iarc.uaf.edu>
- Re: OT - NFS through firewalls
  - From: David Wright <ichbin@shadlen.org>

Prev by Date: midi problem
Next by Date: Re: Openssh protocol 2 for potato < - rather urgent help needed
Previous by thread: Re: OT - NFS through firewalls
Next by thread: Re: OT - NFS through firewalls
Index(es):
- Date
- Thread