Stephen Gran on 8 Apr 2006 11:35:03 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] nfs through a DMZ


On Sat, Apr 08, 2006 at 12:44:13AM -0400, John Von Essen said:
> I have two debian machines, one in an internal net, the other in a dmz 
> net. Everything is behind a PIX firewall.
> 
> I need the dmz client to mount a nfs share from the internal net 
> server. So I opened up port 2049 tcp/udp, and also port 111 tcp/udp. 
> The nfs mount still hangs. While doing a tcpdump the rpc port 111 
> traffic goes back and forth, but no nfs. Am I missing something in the 
> firewall?
> 
> Granted all of this poses security and performance issues, but its a 
> special circumstance. At this point I just need to prove that it can be 
> done.

You're missing quite a few ports.

I have the following firewall rules in place to allow 3 machines access 
to nfs (sorry about the long lines):

# NFS - only open to a few machines
for host in 3 5 9; do
  $INSIDERULES         -p tcp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
  $INSIDERULES         -p udp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
done

And then I have this configuration to force nfs to bind to those ports:

/etc/default/nfs-kernel-server:
RPCMOUNTDOPTS="-p 1002"

/etc/default/nfs-common:
STATDOPTS="--port 1000 -o 1001"

/etc/modutils/lockd.local:
options lockd nlm_udpport=1003 nlm_tcpport=1003
(then run update-modules to regenerate modules.conf)

Hope that's helpful,
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | The future lies ahead.                  |
|  steve@lobefin.net             |                                         |
|  http://www.lobefin.net/~steve |                                         |
 --------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug