I can easly wrapper it in something like that.
Turns out that the NFS client request to the NFS server used 111, 2049 and 652
to make the request. Now other people than me get to figure out how to
make it more secure.
Thanks everyone.
-J
"McKown, John" <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port
<[email protected]>
To
[email protected]
cc
09/18/2007 12:40 PM
Subject
Re: NFS,
Firewalls and ports
Please respond to
Linux on 390 Port <[email protected]>
> -----Original Message-----
> From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On
> Behalf Of James Melin
> Sent: Tuesday, September 18, 2007 10:42 AM
> To: [email protected]
> Subject: NFS, Firewalls and ports
>
>
> Good morning (or evening, depenging) everyone.
>
> I am hoping someone can shed some light on something for me...
>
> Trying to a read-only NFS export of a directory through the
> DMZ firewall to a local linux instance. From what I have
> read, NFSV4 uses port 2049 to
> make it's connections. Presumable this is for both client and
> server as I've seen nothing about such a distinction.
>
> Both systemsare SLES-10 SP1. When the external firewall rules
> are set specifically allow port 2049 between the two machines
> it fails with a "mount
> server reported tcp not available, falling back to udp" error
> and then eventually just gives up.
>
> When the firewall is set to allow all connections between
> these two hosts it works. So obviously port 2049 isn't really
> it, or it isn't all of the
> answer.
>
> So, what am I missing?
Basically, unless you do something, NFS uses dynamic ports.
Try this site:
http://www.linuxquestions.org/questions/showthread.php?t=294069
Most of what I've seen say that you should really only use NFS when you
have a VPN encrypted tunnel between the two end points. I guess if you
are on an internal, secured, network, then you are OK. But I gather that
you aren't in such a setup.
--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology
The information contained in this e-mail message may be privileged
and/or confidential. It is for intended addressee(s) only. If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense. If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
