Re: nfs through dsl router
> > jeez, guys, it was only up for about 5 minutes -- I'm not THAT stupid (though
> > I can be pretty dumb if left to my own devices)
> Sometimes that's all it takes.
ok, point taken.
>
> rpcinfo uses portmap. portmap is a daemon to help handle a bunch of rpc
> (remote procedure calls) in glibc.
got it, thanks.
> set up. Also, portmap will expose your mount and umount commands in the
> clear over the internet-- this may or may not be an issue. People can
> learn that you have an nfs server at work and may try to attack it.
> Assuming your /etc/exports, /etc/hosts.allow, /etc/hosts.deny, sshd and
> firewall rules are all set up properly, this won't be an issue. This is a
> lot to take into consideration though-- which is one reason why NFS is
> notorious for its security. It can be made quite secure, but getting it
> there takes patience and a lot of attention to detail.
hmm. how would you recomend that hosts.allow and hosts.deny be set
up? And the firewall -- do I mostly wantto let through only web
traffic, mail traffic, and ssh?
>
> The home router isn't a problem-- this is why nfs over ssh is a nice
> alternative to IPsec or afs-- ssh works fine with NAT.
... as I now understand, because finally, my setup is WORKING!!! thanks Jamie!
> First off, is 128.100.34.9 the server's ip address that ssh is listening
> on? In other words, it needs to be the *actual* ip address of the
> server (eg, what use ssh to), not the company gateway machine or
> similar. Often this is a non-routable address like 192.168.x.x or
> 10.x.x.x. Because you listed a routable address, I just wanted to make
> sure you were using the right one.
in fact it is a routable address. What would I have to do if it
wren|t a routable address? I ask because it might (possibly) be
convnient for me to do the nfs mount in the other direction too, and
my home computer is (as I said) behind a router.
>
> > 2) edit nfs init script
> > ...er... that didn't go so well! it was easy to get nfs to
> >
> Don't bother with this at first. Just get ssh and nfs working.
> Basically, you can selectively kill any ssh pids that are dealing with
> your nfs connection, but not have to kill the whole sshd server each
> time-- that was in the article only as a convenience. NFS *must* be
> started before ssh, and nfs-user-server sometimes gets confused when
> things aren't quite right. Try this after a failed mount attempt:
>
> kill <pids of ssh that are used with nfs (see with 'ps auxww')>
> /etc/init.d/nfs-user-server stop
> /etc/init.d/nfs-common stop
> /etc/init.d/portmap stop
> /etc/init.d/portmap start
> /etc/init.d/nfs-common start
> /etc/init.d/nfs-user-server start
hmmm... cwould it also make sense to edit the scripts in rcX.d so
that the Sxxnfs-user-server scripts have lower numbers than the
Syysshd scripts?
>
> Restarting the nfs server in this way makes sure you have a clean slate.
> This should be all you need to do-- and you shouldn't have to resort to
> remotely restarting ssh.
good, since I find the latter frightening
> > 3. setup iptables (in my case using ipmasq)
> >
> But this isn't really needed in your situation because you said
> you already have ssh connectivity to your server from home. This is
> *all* that is required. If you couldn't ssh to your work machine, then
> that would be different. You should be able to get away with not
> allowing in portmap, if you specify all the options needed to mount (in
> other words, mount doesn't need to query portmap). However, you may
> find that allowing your client access to tcp port 111 is easier (in this
> case, you will need to figure out a way to update the firewall-- a
> script every five minutes would not be bad).
>
i think I understand that
> > For now I just entered my current IP, which works fine.
> >
> > CLIENT CONFIGURATION
> >
> > 3. mount the nfs volume... ... this always fails catastrophically.
> > In particular, I never seem to be able to open up the requisite ports
> What mount command are you specifying? As far as the router, the client
> is making direct connections to the server over the ssh port, and the
> server is responding, shouldn't need to forward anything. You may find
> port forwarding tcp port 111 to your home machine is worthwhile. Your
> home machine should have portmap controlled in /etc/hosts.allw|deny and
> also with iptables/ipchains to only allow access from the server. I
> assume that you have nfs-common and portmap installed and running at
> home and have the necessary utilities to mount nfs volumes?
the problem was, I think, that I initially didn't have iptables set up
right. Now I do, and everything works great! thanks!!!
>
> Good luck.
>
> Jamie
>
> PS-- having said all of this, you might try a VPN solution. I use vtund
> and mount nfs volumes from remote laptops without issue. This way you
> set up the nfs server in the usual way, have your client VPN into the
> network, and you have access. Of course, this may be too much access
> from home-- just a thought.
VPN looks really neat, and I guess it would make it easier e.g. to
export x sessions from one machine to another // wouldn't it? *right
now it seems like I can't get the xserver on my work machine to export
awindow to a client session on my home machine -- vpn should make that
easier, by specifying a local, network IP -- right?
but for now, I don't think I have time to set up the VPS -- thanks for
your help on this!
matt
Reply to: