troubleshooting nfs/can't ping local while firewall enabled
 

A step in troubleshooting nfs, brought to light a previous problem, but better defined.

I can't ping between boxes while my firewalls are set to defaults.

I want to leave as much of my firewalls intact but be able to ping between boxes.

1. Should local pinging work with my firewalls set to fully enabled (default)?
2. If not what setting should I add to firewall to allow local pinging?

If now is the time I have to learn all about ipchains then send a 2 pound aspirin with your replies. lol

Mandy 9.2 on both boxes, direct Ethernet cable with no hub

Continued gratitude to all those who help us newbies.

first we'll try the easier stuff.. try this command, see if it helps
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

First question for you, are you using a crossover cable for connecting tow machines together ? If not you will need to grab one for this computer 2 compyter connection.
If you do have a crossover cable in use, are you using a similar C class IP.
ex. 192.168.1.*
computer one is 192.168.1.101 and the second computer 192.168.1.102

This would mean that the computers are setup on the same network.
What the firewall would restrict would be incomming/outgoing packets but not anything inside your network due to the fact that the firewall isn't between the two computer but on the outside.

One way to test would be to disable ipchains and try pinging, if you still can't ping then diffinately it has something to do with the network and not the firewall.

Hope that makes sense :)

Good Luck !

triki

If I am entering the command correctly the response is "permission denied"

Do I need to run it as root?

Thanks triki,
Yes to all your queries. I can ping when I turn off my firewall through Gui (mandrake control center)

How would I disable ipchains for purpose of testing?

yes, you need to run that last command as root. to disable ipchains run "service ipchains stop" or "/etc/rc.d/init.d/ipchains stop" as root.

Again, if I am entering properly, the command now returns silently to the command line.

To know I'm entering properly is ther a space between the 0 and > ?

running "service ipchains stop" and "/etc/rc.d/init.d/ipchains stop" as root without the parenthisis returns "Cannot find ipchains service" and "No such file or directory"

Yes, sorry I should have told you about that. It won't return anything. its just placing a 0 in that file name after it. 0 = enable pings, 1 = disable pings. you *might* have to restart the network for the changes to take effect.. I can't remember.

as for the other "service ipchains stop" if you're using mandrake its probably different. sorry I wasn't paying attention to the flavor you're running.

try "service iptables stop"
Mandrake 9.2 uses iptables instead of chains

Also, the command "echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all" is correctly written and should dump you back to the command line with no response. This command must be run every time you reboot during testing, because some firewalls override this setting.

-Derek

Ok now I can ping both ways after running service iptables stop.

What does this mean? Is my firewall still good?
If my firewall is still good can I continue with setting up NFS?
Or have we just uncovered a problem that needs to be addressed before I should continue?

The iptables service basicaly is the guts of the firewall. It holds all the rules that allow some things, and drop others. Since the pinging works when iptables is off, we know that it's a rule problem with your firewall. So now we can add a couple of rules to it by hand.

Here are some quick and dirty rules for you. They are typed in at command prompt, and must be re-typed at every boot, since your firewall will overwrite them....

This enables all traffic from the loopback address:
iptables -I INPUT -s 127.0.0.0/8 -j ACCEPT
This enables incoming pings:
iptables -I INPUT -p ICMP -j ACCEPT
This enables outgoing pings:
iptables -I OUTPUT -p ICMP -j ACCEPT

Of course, that leaves you slightly vulnerable to malformed ICMP packets. If you want to be more secure, and only ping from your network use...

iptables -I INPUT -s (your source net) -p ICMP -j ACCEPT

instead of the second line above, where your source net is something like 192.168.0.0/24 (meaning all of your computers have IPs of 192.168.0.???)

Hope that helps
-Derek

Thanks Derek,
I hope that does help me somehow but will or should configuring NFS cause my iptables to be written to, so as not to have to edit manually every time I reboot?

continued gratitude to all those who help us newbies.

Ok still working on iptables.
Is that a capitol i or a lower case L in the "iptables -l Input...." ?

Is enabling traffic from the loopback address functionaly important or only for pinging myself for tests.?

Am I missing something so basic about setting up nfs or the lan that it is running on that they didn't bother to write about it in the How-To's. ?