NFS through firewall
Amadeus W. M.
amadeus84 at cablespeed.com
Fri Nov 18 16:33:54 UTC 2005
On Thu, 17 Nov 2005 09:26:14 -0500, James Pifer wrote:
> Hi. I have a server in our DMZ and I'm exporting a specific directory
> with NFS. I have an internal server that I want to mount it on. The
> internal server is allowed through the firewall without restriction.
> Firewall guy tells me it's wide open for this internal server, TCP and
> UDP.
>
> When I try to mount the drive I get this error:
> pmap_getmaps rpc problem: RPC: Unable to receive; errno = Connection
> reset by peer
>
> On the server running NFS I get this:
> rpc.mountd: authenticated mount request from [internal_server]:680
> for /usr/test (/usr/test)
>
> If I do an nmap from the internal server to the external server running
> I get:
>
> (The 1648 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 111/tcp open rpcbind
> 443/tcp open https
> 933/tcp open unknown
> 5001/tcp open commplex-link
> 5801/tcp open vnc-http-1
> 5901/tcp open vnc-1
> 10000/tcp open snet-sensor-mgmt
>
> A UDP port scan seems to hang.
>
> If I do an rpcinfo on the external server running NFS I get:
> # rpcinfo -p 127.0.0.1
> program vers proto port
> 100000 2 tcp 111 portmapper
> 100000 2 udp 111 portmapper
> 100024 1 udp 32768 status
> 100024 1 tcp 32768 status
> 391002 2 tcp 32769 sgi_fam
> 100011 1 udp 930 rquotad
> 100011 2 udp 930 rquotad
> 100011 1 tcp 933 rquotad
> 100011 2 tcp 933 rquotad
> 100003 2 udp 2049 nfs
> 100003 3 udp 2049 nfs
> 100021 1 udp 32781 nlockmgr
> 100021 3 udp 32781 nlockmgr
> 100021 4 udp 32781 nlockmgr
> 100005 1 udp 32782 mountd
> 100005 1 tcp 59483 mountd
> 100005 2 udp 32782 mountd
> 100005 2 tcp 59483 mountd
> 100005 3 udp 32782 mountd
> 100005 3 tcp 59483 mountd
>
> Any thoughts on what the problem is?
>
> Thanks,
> James
Besides the firewall, other things to check for are tcp wrappers
(/etc/hosts.allow/deny - I once pulled hair over this one), and permisions
of the partitions exported by the NFS server.
On the client do a
/usr/sbin/showmount -e nfs.server.com
Whenever you modify something on the nfs server, run
exportfs -r
or restart the nfs server (better, because it restarts the rpc services
too).
Also, you're not root on the client when you're trying to access the
exports, are you? By default, the nfs server does not treat a remote root
user as its own root user, for the obvious reasons. So if you're root on
the client and try to access an exported partition that belongs to, say,
joe/users, you'll get an error.
Also, the nfs server need not give unrestricted access to a client to
access nfs. The problem with nfs and firewall is that the rpc services run
on random ports, so the firewall would have to open the same (random)
ports to allow access to nfs. Fortunately, nfsd can be configured so that
the rpc services run on fixed ports, like so:
On the nfs server:
cat /etc/sysconfig/nfs
STATD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
RQUOTAD_PORT=4003
Still on the nfs server, in /etc/sysconfig/iptables put these rules:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4000:4003 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT
These will allow anything to access the nfs/rpc ports. To allow a
only single machine, add its address to these rules.
More information about the fedora-list
mailing list