Hello Again After making some changes to the firewall and setting up the port- forwarding for sunrpc and nfs on udp packets, I am no longer getting an RPC time out but now just:
mount: RPC: Unable to receive; errno = Connection refused on the client machine when I try to mount the directory. The client can been seen on the DNS as well as the server has the client IP in its hosts file. Any ideas from here? Cheers, Lonnie > Hello All, > > > I have been trying, with no luck so fat to mount a directory > > from a machine that I have behind the Eigerstein LRP to a > > client machine outside the firewall. > > Considering that, AFAIK, NFS has a very bad reputation > security-wise I kinda think that this is a very bad idea (TM) (-; > but if you still want to do it I think reading the following > messages > <http://www.geocrawler.com/archives/3/90/1999/2/0/350356/> and > <http://www.esker.fr/itspublic/Documents/20000804044B.htm> might > be useful to you. > > Apparently (& as far as I'm concerned fortunatly) NFS doesn't > appear to be very firewall friendly (It's apparently the "port > mapper" which listens at port 111 tcp & udp (apparently, BTW, the > name of this service is sunrpc/portmap) which hands out the port > addresses which will be used...) > > > I have opened a udp port 2049 which is supposed to be for nfs, > > but still I cannot seem to mount the server directory even > > though I can mount the server directory to other machines that > > are also inside the firewall. > > According to the list of "well known port numbers" > (http://www.iana.org/assignments/port-numbers), and to the > messages I posted the URL to previously you would have to open > this in udp also (and as I believe Ray suggested probably to port > forward them too...) > > BTW, I do believe that they are usually opened by default... > > > Actually because of the nature of our setup here, w have 2 > > machines that need allow for nfs mounting and although my > > personnal thoughts are that they too should be behind the > > firewall completely, > > unfortunately I do not get the last word in this. > > (-; (-; (-; > > If the President/CEO doesn't get the last word on this, who does? > (I confess, I paid a visit to your website... (rackmounted > servers/firewall, nice... (-; ). (-; (-; (-; > > Couldn't you establish a VPN tunnel between them instead, > wouldn't that work better & be more secure? > > > Opening port 2049 means that I have added this rule to the > > ipfilter.conf file. > > > > $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 > > 2049 > > BTW, this is probably a typo that got there when you retyped that > line but you've got port 2040 (instead of 2049) on the extern > interface... > > If you do open these ports I would highly suggest that you open > them only for the IP addresses of the other pc/server as some of > these ports (especially 111) are regularly probed by people > wanting to get into your pc... > > Good luck! > > Nicolas Riendeau > > PS: Please forgive my English as it is not my mother tongue. > Thanks! -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
