Re: nfs through dsl router

To: James Strandboge <jstrand1@rochester.rr.com>
Cc: debian users <debian-user@lists.debian.org>
Subject: Re: nfs through dsl router
From: Matt Price <matt.price@utoronto.ca>
Date: Mon, 23 Jun 2003 00:07:54 -0400
Message-id: <[🔎] 20030623040754.GA22577@utoronto.ca>
Mail-followup-to: James Strandboge <jstrand1@rochester.rr.com>, debian users <debian-user@lists.debian.org>
In-reply-to: <[🔎] 1056169445.19811.43.camel@sirius.strandboge.cxm>
References: <[🔎] 20030621002638.GA1755@utoronto.ca> <[🔎] 1056169445.19811.43.camel@sirius.strandboge.cxm>

James, Bob, and others, 

thanks for your help.  sorry to take so long getting back (see below
for explanation!)

On Sat, Jun 21, 2003 at 12:24:05AM -0400, James Strandboge wrote:
> > 
> Ouch.  You may already be hacked.

jeez, guys, it was only up for about 5 minutes -- I'm not THAT stupid (though
I can be pretty dumb if left to my own devices)
> 
> The ports are portmap and whatever is listed with 'rpcinfo -p'.

thanks.  I think I understand (though I don't see how to get information using portmap.)

> 
> But please don't do this at all-- you are opening yourself up to a whole
> bunch of problems.  

do you mean, don't do NFS via ssh either?

> I'd recommend scp.  

scp is very cool,  thanks for the recommendation.  

> If you must have nfs, it is possible to use nfs with
> ssh.  See:
> 
> http://www.samag.com/documents/s=4072/sam0203d/sam0203d.htm

this is a great article, James, thanks for writing it and pointing me
to it.

Unfortunately, even with directions as explicit and clear as yours, I
couldn't get NFS over SSH to work for me.  I think the issue is part
denseness, part the result of working around my home router, and not
understanding port forwarding very well; and at least a small part is
a little harder to explain.

Hope folks don't mind if I go through James' article step by step.  

SERVER CONFIGURATION

1) setting up /etc/exports
	no problem.  added this line:
	#trying to do ssh tunnelling
	/home/matt/Projects	128.100.34.9(ro,insecure,root_squash)

2) edit nfs init script 
	...er... that didn't go so well!  it was easy to get nfs to
stop and kill sshd before working, by adding the lines:

/etc/init.d/ssh stop
killall sshd

at the beginning of the script

but no matter where I put the restart command:

/etc/init.d/ssh restart

I couldn't get sshd to start back up again.  James, do you have a copy
of a working /etc/init.d/nfs-user-server that starts ssh and then
restarts it?  I think I don't fully understand the bash syntax (sorry
for my ignorance).

(this is part of the reason I've taken so long replying -- I couldn't
log in to my work account and my email environment for two days!).

3. setup iptables (in my case using ipmasq) 

had a little trouble here specifying the address of my client (home)
machine, which is set dynamically by pppoe.  Finally realized that I
couldn't do as I'd planned and enter my dyndns domain name, since it
can't be determined without DNS, and iptables really didn't want to
let me use dns.  I'm wondering if this can somehow be done with a
script -- run a cron job every five minutes that checks the IP adress
of my dyndns.org domain, exports the value as a variable, which is
then read by iptables/ipmasq.  Does that sound like it would work?
Anyone know a tool that just returns an IP address?

For now I just entered my current IP, which works fine.  

CLIENT CONFIGURATION
1. get server's ports
no problem.  here's the current output:
matts-mac:~# rpcinfo -p 128.100.34.9
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    865  status
    100024    1   tcp    868  status
    100003    2   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100005    1   udp    986  mountd
    100005    2   udp    986  mountd
    100005    1   tcp    989  mountd
    100005    2   tcp    989  mountd

2. set up tunnel
this usually works,with a command like this: 

ssh -f -c blowfish -L 2820:128.100.34.9:2049 -L 3047:128.100.34.9:989 -l matt 128.100.34.9 /bin/sleep 86400

right now I seem to have broken the networking on my home computer
(see separate post, to follow) but I expect this part will work
eventually.

3. mount the nfs volume...  ... this always fails catastrophically.
In particular, I never seem to be able to open up the requisite ports
on the client end.  I suspect this has something to do with the home
network.  Now, on my router (an SMC Barricade, with a web-only
interface) I don'th ave tons of options.  I can forward individual
port directly from the router to the home computer; or I can put the
home computer in a DMZ.  Will either of these strategies work?  what
further information can I provide to help with diagnosis?

whew.  Thanks for the help you've already given, and thanks for help
in solving my current conundrum.  best,

Matt

Reply to:

Follow-Ups:
- Re: nfs through dsl router
  - From: jstrand1@rochester.rr.com (Jamie Email)

References:
- nfs through dsl router
  - From: Matt Price <matt.price@utoronto.ca>
- Re: nfs through dsl router
  - From: James Strandboge <jstrand1@rochester.rr.com>

Prev by Date: Re: Extremely annoying ext3
Next by Date: Re: exporting /var/spool/mail/user as mailbox
Previous by thread: Re: nfs through dsl router
Next by thread: Re: nfs through dsl router
Index(es):
- Date
- Thread