Robin Laing wrote:
Bill Davidsen wrote:
Terry Polzin wrote:
On Wednesday 20 February 2008 14:32, Bill Davidsen wrote:
I am trying to replace a bunch of NFS servers with new machines running
FC8. The NFS server is doing some kind of evil security check which was
not present in FC1, causing connection rejects like "invalid port
XXXXXX" messages. Since the port works against the FC1 server, and
there
are 120-140 clients per server, running various operating systems, the
solution lies in telling the NFS service to stop doing the unwanted
security check and treat anything coming through iptables as valid.
Has someone a thought on this? Changing clients isn't going to happen,
and it seems the Solaris NFS server works (or the upgrade from FC1
might
be dropped).
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
Can we see your /etc/exports file? You may need to add insecure to
your exports to use some ports in newer NFS instances.
I'm not that far along, I have just been exporting with exportfs at
the moment, and I have turned secure mounts off. If that gets all
clients working I'll change to using insecure.
Newer instances is right, I'm building a FC9alpha1 test box as I type,
I'll test both client and server on FC[6789] and client on everything.
More later, thanks.
After having fought with NFS for a weekend I found that you have to
define the ports in the NFS configuration files and then open them up in
the firewall.
/etc/sysconfig/nfs
When I get an answer like this I know either I didn't explain the
problem well or I don't follow at all what you are trying to do. The
firewall is open now, and has been, all tcp/udp/icmp is accepted from
the trusted subnet. I'm attaching my nfs file in case it tells you
something it doesn't tell me.
The ports are random now.
Exactly, but even with secure NFS off I still get stuff like:
Feb 21 21:50:33 posidon mountd[26030]: refused mount request from
192.168.2.17 for /common (/common
): illegal port 60080
I can attach that if the folding is an issue. But no matter what I set
in any server file, I can't change the behavior of the clients, so I
need to accept what the clients have been using all along against
servers on FC1 and Solaris.
At home I have now moved to sshfs instead of nfs, more secure and easier
to setup.
The logistics of changing clients in any way are unacceptable. Too many
clients, too many old O/S types and versions. The server has to use any
port that fits in 16 bits and stop trying to do the firewall's job.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
