FC8 and NFS service

Bill Davidsen davidsen at tmr.com
Fri Feb 22 23:40:59 UTC 2008 

Robin Laing wrote:
> Bill Davidsen wrote:
>> Terry Polzin wrote:
>>> On Wednesday 20 February 2008 14:32, Bill Davidsen wrote:
>>>> I am trying to replace a bunch of NFS servers with new machines running
>>>> FC8. The NFS server is doing some kind of evil security check which was
>>>> not present in FC1, causing connection rejects like "invalid port
>>>> XXXXXX" messages. Since the port works against the FC1 server, and 
>>>> there
>>>> are 120-140 clients per server, running various operating systems, the
>>>> solution lies in telling the NFS service to stop doing the unwanted
>>>> security check and treat anything coming through iptables as valid.
>>>>
>>>> Has someone a thought on this? Changing clients isn't going to happen,
>>>> and it seems the Solaris NFS server works (or the upgrade from FC1 
>>>> might
>>>> be dropped).
>>>>
>>>> -- 
>>>> Bill Davidsen <davidsen at tmr.com>
>>>>    "We have more to fear from the bungling of the incompetent than from
>>>> the machinations of the wicked."  - from Slashdot
>>> Can we see your /etc/exports file?  You may need to add insecure to 
>>> your exports to use some ports in newer NFS instances. 
>> I'm not that far along, I have just been exporting with exportfs at 
>> the moment, and I have turned secure mounts off. If that gets all 
>> clients working I'll change to using insecure.
>>
>> Newer instances is right, I'm building a FC9alpha1 test box as I type, 
>> I'll test both client and server on FC[6789] and client on everything.
>>
>> More later, thanks.
>>
> 
> 
> After having fought with NFS for a weekend I found that you have to 
> define the ports in the NFS configuration files and then open them up in 
> the firewall.
> 
> /etc/sysconfig/nfs
> 
When I get an answer like this I know either I didn't explain the 
problem well or I don't follow at all what you are trying to do. The 
firewall is open now, and has been, all tcp/udp/icmp is accepted from 
the trusted subnet. I'm attaching my nfs file in case it tells you 
something it doesn't tell me.

> The ports are random now.
> 
Exactly, but even with secure NFS off I still get stuff like:
	Feb 21 21:50:33 posidon mountd[26030]: refused mount request from 
192.168.2.17 for /common (/common
): illegal port 60080

I can attach that if the folding is an issue. But no matter what I set 
in any server file, I can't change the behavior of the clients, so I 
need to accept what the clients have been using all along against 
servers on FC1 and Solaris.

> At home I have now moved to sshfs instead of nfs, more secure and easier 
> to setup.
> 
The logistics of changing clients in any way are unacceptable. Too many 
clients, too many old O/S types and versions. The server has to use any 
port that fits in 16 bits and stop trying to do the firewall's job.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list