On 10/20/06, Margaret Doll <Margaret_Doll@xxxxxxxxx> wrote:
I am finding that FC3 requires me to allow more open ports for NFS to work. I have to modify iptables. With FC2, I did not have to do this. With iptables off, NFS mounting works on FC3. I have tcp port 111 opened now and am hunting for the additional ports that I need. fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Hi Again Margaret Doll! Sounds like your hunting has been very good! I note: # From: http://www.troubleshooters.com/linux/nfs.htm ----------------------------------------------------------------------------------------------------- 5: If there are still problems, disable firewalls or log firewalls Many supposed NFS problems are really problems with the firewall. In order for your NFS server to successfully serve NFS shares, its firewall must enable the following: ICMP Type 3 packets Port 111, the Portmap daemon Port 2049, NFS The port(s) assigned to the mountd daemon The easiest way to see whether your problem resides in the firewall is to completely open up the client and server firewalls and anything in between. For details on how to manipulate iptables see the May 2003 Linux Productivity Magazine. Note that opening up firewalls is appropriate only if you're disconnected from the Internet, or if you're in a very un-hostile environment. Even so, you should open up the firewalls for a very short time (less than 5 minutes). If in doubt, instead of opening the firewalls, insert logging statements in IPTables to show what packets are being rejected during NFS mounts, and take action to enable those ports. For details on IPTables diagnostic logging, see the May 2003 Linux Productivity Magazine. The mountd daemon ports are especially problematic, because they're normally assigned by the portmap daemon, and vary from NFS restart to NFS restart. The /etc/rc.d/init.d/nfs script can be changed to nail down the mountd daemon to a specific port, which then enables you to pinhole a specific port. The A Somewhat Practical Server Firewall article in the May 2003 Linux Productivity Magazine. explains how to do this. If for some reason you don't want to nail down the port, your only other alternatives are to create a firewall enabling a huge range of ports in the 30000's, or to create a master NFS restart script which does the following: Use the rcpinfo program to find all ports used by mountd. Issue iptables commands to find the rule numbers for those ports. Issue iptables commands to delete all rules on those ports. Restart NFS Use the rcpinfo program to find all ports used by mountd. Issue iptables commands to insert rules for those ports where the rules for those ports used to be. One technique that might make that easier is to create a user defined chain just to hold mountd rules. In that case you'd simply empty that chain, restart NFS, use rpcinfo to find the port numbers, and add the proper rules using the iptables -A command. It bears repeating that the May 2003 Linux Productivity Magazine details how to createean NFS friendly firewall. ------------------------------------------------------------------------- You have probably made my future life easier, thanks! Tod
