On Sun Jun 18 2000 at 19:46, Sangohn Christian wrote to the
linux-config email list:
> It was a problem with an entry in /etc/hosts.deny:
> rpc.mountd: ALL
Hmm... I find this quite bizzare - it doesn't sound right. What
distribution is this? What version of mountd? Has it been hacked
to do this? Have things recently changed?
It has always been the RPC **portmapper** that has been linked
against the libwrap.a library (tcp wrappers), not the rpc daemons
themselves. (The idea is that if you can't get to the portmapper,
then you can't use any of the services offered by any other RPC
daemon). So what you should have in /etc/hosts.allow is:
portmap: ALL
Then in /etc/hosts.deny, have:
ALL : ALL
This will set things up so that EVERYTHING is denied by default,
and only those services specifically stated in hosts.allow will be
permitted access. In this case, portmap/rpc access is allowed for
everyone. I would not recommended this for a box accessable from the
internet as it is far too promiscious and dangerous for my own
liking - I have the portmap and nfs ports blocked on a firewall to
prevent such access anyway (to protect our local networks).
Even fancier is to use the extended capabilities of wrappers to
generate an email for you for each denied attempt... at the very
least, this is great for debugging purposes. I'll attach a copy of
this below here. It's just as easy to change this to generate a
syslog (via the "logger" utility) or stamp this information into a
log file.
There are some quirks with portmap and wrappers:
- access control in /etc/hosts.{allow,deny} MUST be specified for
the portmapper as IP numbers, not host or domain names (the
portmapper does not attempt to resolve host/domain names, I
suspect to prevent access via DNS spoofing).
- any stand-alone libwrap-enabled daemons (ie, not run via inetd
using /usr/sbin/tcpd) need to be specified separately, and not
grouped together. (You can group them together for daemons run
via inetd/tcpd, eg, "in.telned in.ftpd : ALL"). This especially
applies to portmap (and sshd etc).
- for NFS to work, rpc.mountd MUST be able to resolve the IP address
of the requesting client to a valid hostname. (An issue not
specifically related to wrappers or
> On Son, 18 Jun 2000, Sangohn Christian wrote:
> >I´m trying to share some files with my second machine using NFS.
> >Everything installed fine but when trying to mount anything, I
> >always get an error:
> >sikasso:~ mount -t nfs adama:/sto /mnt/test/
> >mount: RPC: timed out
> >
> >What is the problem?
No portmapper running on adama, or no NFS services running.
This will tell you what RPC services are being offered (and will
confirm tcp wrapper access to the daemon):
/usr/sbin/rpcinfo -p adama
To find out what NFS exports are being offered by that server, and
to who:
/usr/sbin/showmount -e adama
Hope this helps to clarify things.
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
# /etc/hosts.deny
# Tony Nugent <[EMAIL PROTECTED]>
# See man pages:
# hosts.deny(5) hosts.allow(5)
# hosts_access(5) hosts_options(5)
#
# Send a mail message notifying root of all failed connection attempts
#
ALL : ALL : spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \
"Wrappers@$(uname -n)\: %d refused for %c" root ) &
