FC8 and NFS service
Bill Davidsen
davidsen at tmr.com
Fri Feb 22 23:40:59 UTC 2008
Robin Laing wrote:
> Bill Davidsen wrote:
>> Terry Polzin wrote:
>>> On Wednesday 20 February 2008 14:32, Bill Davidsen wrote:
>>>> I am trying to replace a bunch of NFS servers with new machines running
>>>> FC8. The NFS server is doing some kind of evil security check which was
>>>> not present in FC1, causing connection rejects like "invalid port
>>>> XXXXXX" messages. Since the port works against the FC1 server, and
>>>> there
>>>> are 120-140 clients per server, running various operating systems, the
>>>> solution lies in telling the NFS service to stop doing the unwanted
>>>> security check and treat anything coming through iptables as valid.
>>>>
>>>> Has someone a thought on this? Changing clients isn't going to happen,
>>>> and it seems the Solaris NFS server works (or the upgrade from FC1
>>>> might
>>>> be dropped).
>>>>
>>>> --
>>>> Bill Davidsen <davidsen at tmr.com>
>>>> "We have more to fear from the bungling of the incompetent than from
>>>> the machinations of the wicked." - from Slashdot
>>> Can we see your /etc/exports file? You may need to add insecure to
>>> your exports to use some ports in newer NFS instances.
>> I'm not that far along, I have just been exporting with exportfs at
>> the moment, and I have turned secure mounts off. If that gets all
>> clients working I'll change to using insecure.
>>
>> Newer instances is right, I'm building a FC9alpha1 test box as I type,
>> I'll test both client and server on FC[6789] and client on everything.
>>
>> More later, thanks.
>>
>
>
> After having fought with NFS for a weekend I found that you have to
> define the ports in the NFS configuration files and then open them up in
> the firewall.
>
> /etc/sysconfig/nfs
>
When I get an answer like this I know either I didn't explain the
problem well or I don't follow at all what you are trying to do. The
firewall is open now, and has been, all tcp/udp/icmp is accepted from
the trusted subnet. I'm attaching my nfs file in case it tells you
something it doesn't tell me.
> The ports are random now.
>
Exactly, but even with secure NFS off I still get stuff like:
Feb 21 21:50:33 posidon mountd[26030]: refused mount request from
192.168.2.17 for /common (/common
): illegal port 60080
I can attach that if the folding is an issue. But no matter what I set
in any server file, I can't change the behavior of the clients, so I
need to accept what the clients have been using all along against
servers on FC1 and Solaris.
> At home I have now moved to sshfs instead of nfs, more secure and easier
> to setup.
>
The logistics of changing clients in any way are unacceptable. Too many
clients, too many old O/S types and versions. The server has to use any
port that fits in 16 bits and stop trying to do the firewall's job.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list