Re: s-s-s-l-l-l-o-o-o-w-w-w nfs connect ???

["Michael D. Schleif" <mds@helices.org>]

That did it -- thank you.

Jason Lunz wrote:
> 
> mds@helices.org said:
> >> is the fast client running portmap and the slow one not?
> > Good catch!  Thank you.
> >
> > How does the slow system, without portmap, ever get the connection?
> 
> It times out.
> 
> > Isn't portmap a security hole?
> 
> not unless you have a crappy portmap. Portmap itself is pretty simple,
> and thus easily auditable. That makes it more trustworthy to me. The
> other RPC services that portmap may be mapping are another story. But in
> this case, you're only running portmap on the client.
> 
> The fact that you're using nfs at all shows that you're willing to risk
> some exposure. I wouldn't use nfs on an untrusted network.
> 
> > Is this the ``right'' way to do this?
> 
> I believe so, but I'm no nfs admin. The failure you get without portmap
> is this in your kernel log:
> 
>         portmap: server localhost not responding, timed out
>         lockd_up: makesock failed, error=-5
> 
> So it seems that the client wants to see if lockd is running on
> localhost, and times out when asking portmap about it.
> 
> If you're really concerned about security, just firewall everything but
> localhost from accessing your sunrpc port. It looks like no remote
> connections need to be made to it.

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .