Re: nfs-kernel-server and firewalls
Been following this thread and understand that the goal is to configure a
firewall to control access to the ports used for NFS. If so, then suggest
the following:
#!/bin/sh
NFSPORTS=`rpcinfo -p | awk '/tcp/||/udp/ {print $4}' | sort | uniq`
for PORT_NUM in $NFSPORTS
do
iptables -A INPUT -j <target> -s <srcip> -p <tcp|udp> --dport $PORT_NUM
...
done
Hope this is helpful.
On Fri, 2 Jul 2004, Tom Allison wrote:
> Tadeusz Bak wrote:
> >
> > On Thu, 1 Jul 2004, Tom Allison wrote:
> >
> >
> >>Portmapper sits on one port, but it's redirecting the nfs connection all
> >>over the place. I can't seem to nail it down to one set of ports.
> >
> >
> > The rpc services called by portmaper can be binded to specific ports, see
> > man pages for details. To find out what services are registered run:
> > rpcinfo -p
> >
> > Greetings,
> > Tad
> >
> >
>
> I have one connection working, always did.
> The working machine is on 192.168.1.0/24, the non-working machine is on
> 192.168.0.0/24 (DMZ)
>
> /etc/exports:
> /var/www 192.168.1.0/24(rw,no_root_squash)
>
> These are identical on both machines
> /etc/hosts.allow is identical on both machines (empty)
>
> I've opened up port 111 (sunrpc) for both udp and tcp protocols
> and restarted both the port mapper and the nfs-kernel-server.
>
> Now I get iptables blocking on port 989/udp->989/udp (ftps-data) which
> doesn't make any sense. Next time I try to mount I get 995->989 and it
> keeps changing with each trial of 'mount -t nfs cling:/var/www/ /cling/'
> (cling is the machine name, DNS works great!).
>
> I'm not really sure what's roaming on the IP addresses, but I kind of
> can't use that under a firewalled device.
>
Ernest Johanson
Systems Administrator
Fuller Theological Seminary
Reply to: