Re: FC8 and NFS service

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robin Laing wrote:
Bill Davidsen wrote:
Terry Polzin wrote:
On Wednesday 20 February 2008 14:32, Bill Davidsen wrote:
I am trying to replace a bunch of NFS servers with new machines running
FC8. The NFS server is doing some kind of evil security check which was
not present in FC1, causing connection rejects like "invalid port
XXXXXX" messages. Since the port works against the FC1 server, and there
are 120-140 clients per server, running various operating systems, the
solution lies in telling the NFS service to stop doing the unwanted
security check and treat anything coming through iptables as valid.

Has someone a thought on this? Changing clients isn't going to happen,
and it seems the Solaris NFS server works (or the upgrade from FC1 might
be dropped).

--
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
Can we see your /etc/exports file? You may need to add insecure to your exports to use some ports in newer NFS instances.
I'm not that far along, I have just been exporting with exportfs at the moment, and I have turned secure mounts off. If that gets all clients working I'll change to using insecure.

Newer instances is right, I'm building a FC9alpha1 test box as I type, I'll test both client and server on FC[6789] and client on everything.

More later, thanks.



After having fought with NFS for a weekend I found that you have to define the ports in the NFS configuration files and then open them up in the firewall.

/etc/sysconfig/nfs

When I get an answer like this I know either I didn't explain the problem well or I don't follow at all what you are trying to do. The firewall is open now, and has been, all tcp/udp/icmp is accepted from the trusted subnet. I'm attaching my nfs file in case it tells you something it doesn't tell me.

The ports are random now.

Exactly, but even with secure NFS off I still get stuff like:
Feb 21 21:50:33 posidon mountd[26030]: refused mount request from 192.168.2.17 for /common (/common
): illegal port 60080

I can attach that if the folding is an issue. But no matter what I set in any server file, I can't change the behavior of the clients, so I need to accept what the clients have been using all along against servers on FC1 and Solaris.

At home I have now moved to sshfs instead of nfs, more secure and easier to setup.

The logistics of changing clients in any way are unacceptable. Too many clients, too many old O/S types and versions. The server has to use any port that fits in 16 bits and stop trying to do the firewall's job.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux