Something has bugged me for ages about trying to use NFS between machines on the LAN. I've still got a central server running FC4, because everything (FC 5 through to 7) can make use of it. But none of the other OSs can do machine to machine NFS to each other (not FC5 to FC5, FC6 to FC6, nor FC7 to FC7), even though I've ticked the system-config-securitylevel box to allow NFS through the firewall, I have to disable the firewall to do it.
Why does it give an NFS option if it doesn't work? All the other service tick boxes work (if I tick WWW, I can webserve without any firewall issues, etc.). Surely, given a firewall configurator with preset options, all that two FC7 users need to do to NFS between each other is to tick the NFS option? It seems extraordinarily badly designed if it doesn't.
Yes, I have allowed NFS options in the SELinux configurator, as well. And, no, I do NOT want to use Samba.
Any box can use the auto networking thingo where something like less /net/server/home/tim/testfile automatically works. But try accessing any of the newer than FC4 boxes, and it doesn't.
e.g. [tim@suspishus ~]$ ls /net/bigblack/home/tim/ ls: cannot access /net/bigblack/home/tim/: No such file or directory
With "bigblack" being the hostname of a FC7 box on the LAN. And, yes, the name resolves. I have fully functioning local DNS, in both forward and reverse directions.
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
http://www.charlescurley.com/nfs.html
Tim:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
Charles Curley:
I'll have a bash at that a bit later, but the question still stands about what's the point of the NFS checkmark in the firewall configurator, if it can't actually do the trick? They might as well have named it "waste your time."
Charles Curley wrote:
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
Charles has given a link to his fairly comprehensive method for getting NFS-v[123] in an Iptables firewalled environment.
It should be noted that in the system-config-firewall command, they are talking about NFS-v4 which os more like FTP in its use of ports. The older protocol versions protocols are much harder to configure.
I took a different tack in solving the problem... I decided that inside my firewall, on the private-IP lan (I use a 10.x.x.x set of addresses) I want to treat the locally addressed network as a "trusted" network. Older versions of the firewall configurator (prior to F6?) had a checkbox to select such an option; the current s-c-firewall doesn't offer this.
What I did was insert a rule on the INPUT ruleset in front of the RH-Firewall-INPUT call:
#/etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] -I INPUT --src 10.0.1.0/24 -j ACCEPT #<-------Inserted -I INPUT --in-interface lo --jump ACCEPT :FORWARD ACCEPT [0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A RH. . .
The 10.0.1.0/24 should be replaced with the CIDR of your local network. This preempts the Firewall chain if the address is in hte noted network. Since the 10.x.x.x and other private address IP ranges are non-routable (meaning they won't be passed through a router generally) it is moderately safe to presume that such addresses originated inside your border firewall, and that they may use any available services without restrictions.
Once you edit the firewall rules in /etc/sysconfig/iptables (or do the slightly more complicated steps necessary to get F8 s-c-f to deal with a custom ruleset) older NFS versions will "automagically" work as long as you have the exports file set correctly.
This is less than professionally paranoid in terms of security, but I offer it as another method that solves more than the NFS problem.
On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:
Tim:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
Charles Curley:
I'll have a bash at that a bit later, but the question still stands about what's the point of the NFS checkmark in the firewall configurator, if it can't actually do the trick? They might as well have named it "waste your time."
-- [tim@bigblack ~]$ uname -ipr 2.6.23.1-10.fc7 i686 i386
Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
The difficulty with nfs is that it uses a few auxiliary rpc services, which by default get started on a random port. These random ports must be open in the firewall, but because they are random, the iptables has no idea what they might be.
The cure is to force these services to ALWAYS start on pre-assigned ports, and open these ports in the firewall.
To this end, on the nfs server
1) Create a file /etc/sysconfig/nfs with the following contents:
RQUOTAD_PORT=4000 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002 STATD_PORT=4003
The nfs config file already exists, but it's full of comments. Erase everything and put these lines in, or just edit the appropriate lines in the existing file. You can choose any ports available, not necessarily 4000-4003.
2) Open range 4000-4003 tcp and udp in iptables. This you can do manually, but it can be done from system-config-firewall very easily and intuitively.
3) Open port 111 (portmapper) and 2049 (nfs) as well.
Done.
Now, from any client (which should be running the automounter (autofs) by default), you should be able to
cd /net/nfsserver/exported/partition
I have all this up and running, and it's pretty cool to watch video that resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless laptop that sits on top of my tv.
Amadeus W.M. wrote:
On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:
Tim:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
Charles Curley:
I'll have a bash at that a bit later, but the question still stands about what's the point of the NFS checkmark in the firewall configurator, if it can't actually do the trick? They might as well have named it "waste your time."
-- [tim@bigblack ~]$ uname -ipr 2.6.23.1-10.fc7 i686 i386
Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
The difficulty with nfs is that it uses a few auxiliary rpc services, which by default get started on a random port. These random ports must be open in the firewall, but because they are random, the iptables has no idea what they might be.
The cure is to force these services to ALWAYS start on pre-assigned ports, and open these ports in the firewall.
To this end, on the nfs server
- Create a file /etc/sysconfig/nfs with the following contents:
RQUOTAD_PORT=4000 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002 STATD_PORT=4003
The nfs config file already exists, but it's full of comments. Erase everything and put these lines in, or just edit the appropriate lines in the existing file. You can choose any ports available, not necessarily 4000-4003.
- Open range 4000-4003 tcp and udp in iptables. This you can do
manually, but it can be done from system-config-firewall very easily and intuitively.
- Open port 111 (portmapper) and 2049 (nfs) as well.
Done.
Now, from any client (which should be running the automounter (autofs) by default), you should be able to
cd /net/nfsserver/exported/partition
I have all this up and running, and it's pretty cool to watch video that resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless laptop that sits on top of my tv.
EXCELLENT! This is the same thing I've been struggling with and you've nailed a solution for me.
This one goes in my log book.
This naturally leads me to the next question. What kind of a more "hands off" solution can be arrived at so the less technically oriented can configure NFS on their network. The randomness of the ports seems to be a gotcha if you want to use a firewall with out customizing it.
Thanks for the solution.
~~R
Charles Curley wrote:
On Tue, Jan 01, 2008 at 12:25:05PM +1030, Tim wrote:
Something has bugged me for ages about trying to use NFS between machines on the LAN.
That's nearly right, I think you found the same howto I did a while ago.
It's true that the ports used by NFS and associated services tend to float and need to be fixed.
The correct, ootb way to do it I think I've already mentioned on this list, and Amadeus W.M. has the right way for RHEL and its kin.
Tim, I think that the the "open NFS" checkbox should lock these ports. I don't use the standard firewall tools; if it doesn't do that, then perhaps you could bz it? It's a fair expectation that "allow access to my NFS server" means do all things necessary to "allow access to my NFS server."
I have been watching this one for just this reason. Thanks this seems to explain some issues i was having with a file server i was attempting to access. I settled for samba in the end though it nags at me to "settle" for anything. I will have to try this when i find a spare moment.
Happy New Year, -Max --- "Amadeus W.M." amadeus84@verizon.net wrote:
The difficulty with nfs is that it uses a few auxiliary rpc services, which by default get started on a random port. These random ports must be open in the firewall, but because they are random, the iptables has no idea what they might be.
The cure is to force these services to ALWAYS start on pre-assigned ports, and open these ports in the firewall.
To this end, on the nfs server
- Create a file /etc/sysconfig/nfs with the following contents:
RQUOTAD_PORT=4000 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002 STATD_PORT=4003
The nfs config file already exists, but it's full of comments. Erase everything and put these lines in, or just edit the appropriate lines in the existing file. You can choose any ports available, not necessarily 4000-4003.
- Open range 4000-4003 tcp and udp in iptables. This you can do
manually, but it can be done from system-config-firewall very easily and intuitively.
- Open port 111 (portmapper) and 2049 (nfs) as well.
Done.
Now, from any client (which should be running the automounter (autofs) by default), you should be able to
cd /net/nfsserver/exported/partition
I have all this up and running, and it's pretty cool to watch video that resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless laptop that sits on top of my tv.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
-
Amadeus W.M. -
Charles Curley -
G.Wolfe Woodbury -
John Summerfield -
Max -
Richard England -
Tim