On Wed, Jun 05, 2002 at 04:12:02PM +1000, Chris Rennie wrote:
> It actually works fine -- until I start ipchains. Then attempts
> to mount time-out. I see (from netstat and log files) that the
> NFS server is attempting to talk to the client on some random,
> but privileged, port number in the range 500 -- 1000, approx.
> This conflicts with my client firewall configuration, in which
> only a small number of specific ports in the privileged range
> are open.
Change your firewall rules. Here's how I do it:
# allow rpc services from selected hosts and deny from all others
INTERNAL_IF="eth0"
INTERNAL_ADDR="`/sbin/ifconfig $INTERNAL_IF|/bin/grep 'inet addr'|/bin/sed -e
's/.*inet addr:\([0-9\.]*\).*/\1/'`"
RPC_HOSTS=192.168.1.130/32
for protocol in tcp udp
do
for port in `/usr/sbin/rpcinfo -p | /bin/grep -w $protocol | /bin/sort |
/usr/bin/uniq | /bin/awk '{print $4}'`
do
for host in $RPC_HOSTS
do
/sbin/ipchains -A input -p $protocol -s $host -d $INTERNAL_ADDR $port
-i $INTERNAL_IF -j ACCEPT
done
done
done
for protocol in tcp udp
do
for port in `/usr/sbin/rpcinfo -p | /bin/grep -w protocol | /bin/sort |
/usr/bin/uniq | /bin/awk '{print $4}'`
do
/sbin/ipchains -A input -p $protocol -d $ANY $port -i $INTERNAL_IF -l -j
DENY
done
done
Of course, this needs to be done *after* you've started nfs, because it
uses rpcinfo to get the port numbers. Some of the daemons listen on
dynamically assigned ports rather than on fixed port numbers, so you
don't know what they are until after they've started.
For a given config, the port numbers will most likely be the same on
every boot, so you could hard code the port numbers, but then you'll
change something and wonder why nfs doesn't work any more ...
Cheers,
John
--
whois [EMAIL PROTECTED]
GPG key id: 0xD59C360F
http://kirriwa.net/john/
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
