| Stephen Gran on 8 Apr 2006 11:35:03 -0000 |
|
On Sat, Apr 08, 2006 at 12:44:13AM -0400, John Von Essen said:
> I have two debian machines, one in an internal net, the other in a dmz
> net. Everything is behind a PIX firewall.
>
> I need the dmz client to mount a nfs share from the internal net
> server. So I opened up port 2049 tcp/udp, and also port 111 tcp/udp.
> The nfs mount still hangs. While doing a tcpdump the rpc port 111
> traffic goes back and forth, but no nfs. Am I missing something in the
> firewall?
>
> Granted all of this poses security and performance issues, but its a
> special circumstance. At this point I just need to prove that it can be
> done.
You're missing quite a few ports.
I have the following firewall rules in place to allow 3 machines access
to nfs (sorry about the long lines):
# NFS - only open to a few machines
for host in 3 5 9; do
$INSIDERULES -p tcp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049 -j ACCEPT
$INSIDERULES -p udp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049 -j ACCEPT
done
And then I have this configuration to force nfs to bind to those ports:
/etc/default/nfs-kernel-server:
RPCMOUNTDOPTS="-p 1002"
/etc/default/nfs-common:
STATDOPTS="--port 1000 -o 1001"
/etc/modutils/lockd.local:
options lockd nlm_udpport=1003 nlm_tcpport=1003
(then run update-modules to regenerate modules.conf)
Hope that's helpful,
--
--------------------------------------------------------------------------
| Stephen Gran | The future lies ahead. |
| steve@lobefin.net | |
| http://www.lobefin.net/~steve | |
--------------------------------------------------------------------------
Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|