Do you by any chance have rules in your firewall that are doing NAT between the greater Internet and your private net (192.168.x.x)? If so, there is a real likelihood that a flaw in the rules may be doing you in. Once upon a time, I had a rule in my NAT table that said
Quote:
-t nat -A POSTROUTING -s 192.168.x.0/24 -j snat --to-source 216.39.145.64
|
This rule is missing a critical bit of qualification: it will remap packets originating on the local net without regard for whether they are going to the Internet. In particular, packets that originate on the firewall, and are intended for the local net will have their source address translated. This is not generally too big a problem, since the firewall knows both of its addresses, but in the case of NFS, the altered source address is probably not permitted to connect to the target, and you get an error.
The solution is to include an additional qualifier in the NAT rule:
Quote:
-t nat -A POSTROUTING -o {public net interface IP} -s 192.168.x.0/24 -j snat --to-source 216.39.145.64
|
This restricts the address translation to those packets that are headed out to the public Internet, and leaves traffic between the firewall and internal net hosts unmolested.
HTH