On Wed, 2007-11-14 at 09:16 -0800, Tom Eastep wrote:
> Eric Swanson wrote:

> > Perhaps of note is that at each panic, Shorewall reports a different SPT
> > and DPT.

Probably NFS related traffic, which defaults to random ports...


> Again, it is not Shorewall that is generating those log messages --
> Shorewall has configured Netfilter (part of your kernel) to generate those
> messages under certain conditions (the messages you are seeing are probably
> the result of a REJECT policy from fw->loc -- see Shorewall FAQ 17). When
> using NFS (or any portmapper-based application), it is the least painful
> strategy to simply allow all UDP traffic (in both directions) between the

That depends on your definition of "painful". For me, opening all UDP
ports is more painful, than spending a couple minutes configuring the
server. :)

> client(s) and the server. You might find that you can work around the
> problem if you do that.
> 
> /etc/shorewall/rules:
> 
>       ACCEPT  fw      loc     udp
>       ACCEPT  loc     fw      udp

See http://shorewall.net/ports.htm#NFS , which hints to my documentation
and rules for "pinning down NFS". That way, you can restrict NFS to a
few fixed ports only, instead of opening everything.

  karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      http://www.catb.org/~esr/faqs/smart-questions.html
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      http://www.chiark.greenend.org.uk/~sgtatham/bugs.html


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to