John Von Essen on 10 Apr 2006 16:19:49 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] nfs through a DMZ


Thanks.

That does help.

I made a mistake though, I am actually using Redhat 7.3 on the nfs server.

the statd, quotad, and mountd stuff is straight-forward for forcing the
port. But for the lockd stuff, since I dont a modutils, or update modules,
I am not sure what to do. Is it possible to just write it directly in
modules.conf?

Also, these types of changes, how do you think they would effect existing
mounts? Would all the mounts breaks, or would they reconnect
automatically?

Thanks
John


On Sat, 8 Apr 2006, Stephen Gran wrote:

> On Sat, Apr 08, 2006 at 12:44:13AM -0400, John Von Essen said:
> > I have two debian machines, one in an internal net, the other in a dmz
> > net. Everything is behind a PIX firewall.
> >
> > I need the dmz client to mount a nfs share from the internal net
> > server. So I opened up port 2049 tcp/udp, and also port 111 tcp/udp.
> > The nfs mount still hangs. While doing a tcpdump the rpc port 111
> > traffic goes back and forth, but no nfs. Am I missing something in the
> > firewall?
> >
> > Granted all of this poses security and performance issues, but its a
> > special circumstance. At this point I just need to prove that it can be
> > done.
>
> You're missing quite a few ports.
>
> I have the following firewall rules in place to allow 3 machines access
> to nfs (sorry about the long lines):
>
> # NFS - only open to a few machines
> for host in 3 5 9; do
>   $INSIDERULES         -p tcp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
>   $INSIDERULES         -p udp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
> done
>
> And then I have this configuration to force nfs to bind to those ports:
>
> /etc/default/nfs-kernel-server:
> RPCMOUNTDOPTS="-p 1002"
>
> /etc/default/nfs-common:
> STATDOPTS="--port 1000 -o 1001"
>
> /etc/modutils/lockd.local:
> options lockd nlm_udpport=1003 nlm_tcpport=1003
> (then run update-modules to regenerate modules.conf)
>
> Hope that's helpful,
> --
>  --------------------------------------------------------------------------
> |  Stephen Gran                  | The future lies ahead.                  |
> |  steve@lobefin.net             |                                         |
> |  http://www.lobefin.net/~steve |                                         |
>  --------------------------------------------------------------------------
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug