Did you know LQ has a Linux Hardware Compatibility List?
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-03-2004, 01:36 PM   #1
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Rep: Reputation: 15
help with client side NFS-firewall setup and server side NIS-firewall setup

I have successfully setup the firewalls for my print server and NFS server. I'm having problems with client side setup of iptables for use with NFS. I setup the client firewall the same as the NFS server firewall, but I lose connectivity when I restart the clients iptables. I followed the following site to set up the server side firewall. What port numbers do I have to open in the firewall to allow my client to connect to the NFS shares? What file do I have to modify to set the NFS client port? I'm guessing that NFS client port # is dynamic and jumps around with every boot.

Additionally, I setup a NIS server. My client machines can connect to the NIS server when I disable the firewall on the NIS server. I did a rpcinfo -p and opened all the yp related port numbers in the firewall, but the client machines can't connect. Is there another port number I need to open up? The NIS and NFS server are on the same machine.

[root@fuzzhead sysconfig]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
391002 2 tcp 32768 sgi_fam
100011 1 udp 714 rquotad
100011 2 udp 714 rquotad
100011 1 tcp 717 rquotad
100011 2 tcp 717 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
100004 2 udp 1023 ypserv
100004 1 udp 1023 ypserv
100004 2 tcp 602 ypserv
100004 1 tcp 602 ypserv
100009 1 udp 653 yppasswdd
600100069 1 udp 699 fypxfrd
600100069 1 tcp 701 fypxfrd
100007 2 udp 748 ypbind
100007 1 udp 748 ypbind
100007 2 tcp 751 ypbind
100007 1 tcp 751 ypbind

ypbind is the client side app, so I shouldn't have to open that port number on the firewall for access to the server, right?. I opened the ypbind ports and the clients still can't connect.

Here is the iptables from the NIS/NFS system. I used lokkit to setup an initial firewall and have been cutting, pasting, and modifying the port numbers as necessary.

:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 631 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 4000:4003 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 4000:4003 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 699 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 701 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 653 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 602 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 1023 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 1023 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 748 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 751 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 137:138 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 445 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

My LAN has 3 linux systems (1-fedora, 2-RH 9) that are behind a hardware firewall-router that connects to a cable modem.

any help is appreciated,
Old 02-01-2004, 02:22 PM   #2
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Original Poster
Rep: Reputation: 15
It has been a month with no response. I can't be that people run NFS clients without firewalls? Any firewall gurus out there?

Old 02-01-2004, 09:40 PM   #3
Registered: Sep 2003
Posts: 91

Rep: Reputation: 15
I have a 2 computer network running NFS. I too had lots of problems with the firewalls on both computers blocking NFS until I started using Firestarter. This is a gui based firewall for Gnome (but works for KDE also). It allows you to specify "trusted computers" and what I did was to specify each computer as "trusted" to the other. Seems to work fine. Besides I have a Linksys router with a builtin firewall so I think everything is safe.

For a more hands on, configurable firewall, you might also want to look at Guarddog. I have problems with iptables so I go with the gui.

Good Luck
Old 02-02-2004, 09:52 AM   #4
Registered: Jun 2003
Location: Colorado
Distribution: Fedora Core 4
Posts: 128

Original Poster
Rep: Reputation: 15
Thanks, I have my NFS server and print server computers firewalled. I'm just looking for the client side setup that allows NFS. Every time I have tried to set the client side firewall, my NFS shares go away. Your set up sounds similar to mine. My systems are behind a linksys firewall(BEFSR41). I'm just trying to create another layer of security. I will try your suggestion, but my problem is more understanding how to make the client side NFS ports static so I can open the correct ports in the client side system's firewall.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Oracle Client Side Setup nelnel Linux - Newbie 2 06-17-2005 02:39 AM
client side NFS files? bobbens Linux - Networking 3 11-01-2004 03:52 AM
Firewall setup for NFS server, Suse 9.1 deh6 Linux - Networking 1 08-25-2004 03:24 AM
client-side firewall setup that works with NFS niverson Linux - Security 5 02-22-2004 12:13 AM
Client side firewall setup for NFS niverson Linux - Networking 0 12-31-2003 03:00 PM

All times are GMT -5. The time now is 05:35 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration