On Mon, 2006-05-15 at 16:51 -0500, Hongwei Li wrote: > I want to ask another question -- Why do we need the last line in the file > iptables: > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > If I comment it out, then everything works. Will that cause firewall actually > not functioning? In fc3,fc4 I don't see similar line in the default firewall > setting. Something new in fc5? If this gets posted twice, I apologize. I posted the first version over an hour ago, and I've seen nothing. You're also going to need to unblock ports for portmapper, mountd, rquotad, and (maybe) rstatd and nfslockd. I have no rules for rstatd and nfslockd, and can nfs3 mount without problems. Create a file on the server at /etc/sysconfig/nfs that will bind mountd and rquotad to fixed ports (I use 922 and 923, but you don't have to). [root@petrel ~]# cat /etc/sysconfig/nfs export MOUNTD_PORT=922 export RQUOTAD_PORT=923 Then, in /etc/sysconfig/iptables, add the following rules (change the -s address as appropriate, or remove it altogether): -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 922 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 922 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 923 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 923 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp --dport 111 -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
