John Von Essen on 10 Apr 2006 19:01:56 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] nfs through a DMZ


Update....

I got everything working except for lockd/nlockmgr.

I've tried both methods of changing the port for the lockd kernel mod.

Using lilo.conf:
append="lockd.udpport=10001 lockd.tcpport=10001"

Using modules.conf:
options lockd nlm_tcpport=10001 nlm_udpport=10001

Neither works. Any ideas?

-John

On Mon, 10 Apr 2006, John Von Essen wrote:

> Thanks.
>
> That does help.
>
> I made a mistake though, I am actually using Redhat 7.3 on the nfs server.
>
> the statd, quotad, and mountd stuff is straight-forward for forcing the
> port. But for the lockd stuff, since I dont a modutils, or update modules,
> I am not sure what to do. Is it possible to just write it directly in
> modules.conf?
>
> Also, these types of changes, how do you think they would effect existing
> mounts? Would all the mounts breaks, or would they reconnect
> automatically?
>
> Thanks
> John
>
>
> On Sat, 8 Apr 2006, Stephen Gran wrote:
>
> > On Sat, Apr 08, 2006 at 12:44:13AM -0400, John Von Essen said:
> > > I have two debian machines, one in an internal net, the other in a dmz
> > > net. Everything is behind a PIX firewall.
> > >
> > > I need the dmz client to mount a nfs share from the internal net
> > > server. So I opened up port 2049 tcp/udp, and also port 111 tcp/udp.
> > > The nfs mount still hangs. While doing a tcpdump the rpc port 111
> > > traffic goes back and forth, but no nfs. Am I missing something in the
> > > firewall?
> > >
> > > Granted all of this poses security and performance issues, but its a
> > > special circumstance. At this point I just need to prove that it can be
> > > done.
> >
> > You're missing quite a few ports.
> >
> > I have the following firewall rules in place to allow 3 machines access
> > to nfs (sorry about the long lines):
> >
> > # NFS - only open to a few machines
> > for host in 3 5 9; do
> >   $INSIDERULES         -p tcp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
> >   $INSIDERULES         -p udp -s 192.168.1.${host} -m multiport --dports 111,1000,1001,1002,1003,2049  -j ACCEPT
> > done
> >
> > And then I have this configuration to force nfs to bind to those ports:
> >
> > /etc/default/nfs-kernel-server:
> > RPCMOUNTDOPTS="-p 1002"
> >
> > /etc/default/nfs-common:
> > STATDOPTS="--port 1000 -o 1001"
> >
> > /etc/modutils/lockd.local:
> > options lockd nlm_udpport=1003 nlm_tcpport=1003
> > (then run update-modules to regenerate modules.conf)
> >
> > Hope that's helpful,
> > --
> >  --------------------------------------------------------------------------
> > |  Stephen Gran                  | The future lies ahead.                  |
> > |  steve@lobefin.net             |                                         |
> > |  http://www.lobefin.net/~steve |                                         |
> >  --------------------------------------------------------------------------
> >
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug