-   Linux - Networking (
-   -   help with client side NFS-firewall setup and server side NIS-firewall setup (

niverson 01-03-2004 01:36 PM

help with client side NFS-firewall setup and server side NIS-firewall setup
I have successfully setup the firewalls for my print server and NFS server. I'm having problems with client side setup of iptables for use with NFS. I setup the client firewall the same as the NFS server firewall, but I lose connectivity when I restart the clients iptables. I followed the following site to set up the server side firewall. What port numbers do I have to open in the firewall to allow my client to connect to the NFS shares? What file do I have to modify to set the NFS client port? I'm guessing that NFS client port # is dynamic and jumps around with every boot.

Additionally, I setup a NIS server. My client machines can connect to the NIS server when I disable the firewall on the NIS server. I did a rpcinfo -p and opened all the yp related port numbers in the firewall, but the client machines can't connect. Is there another port number I need to open up? The NIS and NFS server are on the same machine.

[root@fuzzhead sysconfig]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
391002 2 tcp 32768 sgi_fam
100011 1 udp 714 rquotad
100011 2 udp 714 rquotad
100011 1 tcp 717 rquotad
100011 2 tcp 717 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
100004 2 udp 1023 ypserv
100004 1 udp 1023 ypserv
100004 2 tcp 602 ypserv
100004 1 tcp 602 ypserv
100009 1 udp 653 yppasswdd
600100069 1 udp 699 fypxfrd
600100069 1 tcp 701 fypxfrd
100007 2 udp 748 ypbind
100007 1 udp 748 ypbind
100007 2 tcp 751 ypbind
100007 1 tcp 751 ypbind

ypbind is the client side app, so I shouldn't have to open that port number on the firewall for access to the server, right?. I opened the ypbind ports and the clients still can't connect.

Here is the iptables from the NIS/NFS system. I used lokkit to setup an initial firewall and have been cutting, pasting, and modifying the port numbers as necessary.

:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 631 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 4000:4003 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 4000:4003 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 699 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 701 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 653 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 602 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1023 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1023 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 748 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 751 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:138 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 445 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

My LAN has 3 linux systems (1-fedora, 2-RH 9) that are behind a hardware firewall-router that connects to a cable modem.

any help is appreciated,

niverson 02-01-2004 02:22 PM

It has been a month with no response. I can't be that people run NFS clients without firewalls? Any firewall gurus out there?


aclaunch 02-01-2004 09:40 PM

I have a 2 computer network running NFS. I too had lots of problems with the firewalls on both computers blocking NFS until I started using Firestarter. This is a gui based firewall for Gnome (but works for KDE also). It allows you to specify "trusted computers" and what I did was to specify each computer as "trusted" to the other. Seems to work fine. Besides I have a Linksys router with a builtin firewall so I think everything is safe.

For a more hands on, configurable firewall, you might also want to look at Guarddog. I have problems with iptables so I go with the gui.

Good Luck

niverson 02-02-2004 09:52 AM

Thanks, I have my NFS server and print server computers firewalled. I'm just looking for the client side setup that allows NFS. Every time I have tried to set the client side firewall, my NFS shares go away. Your set up sounds similar to mine. My systems are behind a linksys firewall(BEFSR41). I'm just trying to create another layer of security. I will try your suggestion, but my problem is more understanding how to make the client side NFS ports static so I can open the correct ports in the client side system's firewall.


All times are GMT -5. The time now is 11:47 PM.