LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-03-2004, 12:36 PM   #1
niverson
Member
 
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Rep: Reputation: 15
help with client side NFS-firewall setup and server side NIS-firewall setup


I have successfully setup the firewalls for my print server and NFS server. I'm having problems with client side setup of iptables for use with NFS. I setup the client firewall the same as the NFS server firewall, but I lose connectivity when I restart the clients iptables. I followed the following site http://www.lowth.com/LinWiz/nfs_help.html to set up the server side firewall. What port numbers do I have to open in the firewall to allow my client to connect to the NFS shares? What file do I have to modify to set the NFS client port? I'm guessing that NFS client port # is dynamic and jumps around with every boot.

Additionally, I setup a NIS server. My client machines can connect to the NIS server when I disable the firewall on the NIS server. I did a rpcinfo -p and opened all the yp related port numbers in the firewall, but the client machines can't connect. Is there another port number I need to open up? The NIS and NFS server are on the same machine.

[root@fuzzhead sysconfig]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
391002 2 tcp 32768 sgi_fam
100011 1 udp 714 rquotad
100011 2 udp 714 rquotad
100011 1 tcp 717 rquotad
100011 2 tcp 717 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
100004 2 udp 1023 ypserv
100004 1 udp 1023 ypserv
100004 2 tcp 602 ypserv
100004 1 tcp 602 ypserv
100009 1 udp 653 yppasswdd
600100069 1 udp 699 fypxfrd
600100069 1 tcp 701 fypxfrd
100007 2 udp 748 ypbind
100007 1 udp 748 ypbind
100007 2 tcp 751 ypbind
100007 1 tcp 751 ypbind


ypbind is the client side app, so I shouldn't have to open that port number on the firewall for access to the server, right?. I opened the ypbind ports and the clients still can't connect.

Here is the iptables from the NIS/NFS system. I used lokkit to setup an initial firewall and have been cutting, pasting, and modifying the port numbers as necessary.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 631 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 4000:4003 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 4000:4003 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 699 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 701 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 653 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 602 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1023 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1023 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 748 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 751 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:138 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 445 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 216.148.227.68 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 204.127.202.4 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

My LAN has 3 linux systems (1-fedora, 2-RH 9) that are behind a hardware firewall-router that connects to a cable modem.


any help is appreciated,
Nate
 
Old 02-01-2004, 01:22 PM   #2
niverson
Member
 
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Original Poster
Rep: Reputation: 15
It has been a month with no response. I can't be that people run NFS clients without firewalls? Any firewall gurus out there?

Nate
 
Old 02-01-2004, 08:40 PM   #3
aclaunch
Member
 
Registered: Sep 2003
Posts: 91

Rep: Reputation: 15
I have a 2 computer network running NFS. I too had lots of problems with the firewalls on both computers blocking NFS until I started using Firestarter. This is a gui based firewall for Gnome (but works for KDE also). It allows you to specify "trusted computers" and what I did was to specify each computer as "trusted" to the other. Seems to work fine. Besides I have a Linksys router with a builtin firewall so I think everything is safe.

For a more hands on, configurable firewall, you might also want to look at Guarddog. I have problems with iptables so I go with the gui.

Good Luck
Alan
 
Old 02-02-2004, 08:52 AM   #4
niverson
Member
 
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Original Poster
Rep: Reputation: 15
Thanks, I have my NFS server and print server computers firewalled. I'm just looking for the client side setup that allows NFS. Every time I have tried to set the client side firewall, my NFS shares go away. Your set up sounds similar to mine. My systems are behind a linksys firewall(BEFSR41). I'm just trying to create another layer of security. I will try your suggestion, but my problem is more understanding how to make the client side NFS ports static so I can open the correct ports in the client side system's firewall.

Nate
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Oracle Client Side Setup nelnel Linux - Newbie 2 06-17-2005 01:39 AM
client side NFS files? bobbens Linux - Networking 3 11-01-2004 02:52 AM
Firewall setup for NFS server, Suse 9.1 deh6 Linux - Networking 1 08-25-2004 02:24 AM
client-side firewall setup that works with NFS niverson Linux - Security 5 02-21-2004 11:13 PM
Client side firewall setup for NFS niverson Linux - Networking 0 12-31-2003 02:00 PM


All times are GMT -5. The time now is 05:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration