[Novalug] nfs server
Jon LaBadie
novalugml at jgcomp.com
Tue Mar 9 14:05:25 EST 2010
On Tue, Mar 09, 2010 at 01:08:45PM -0500, Peter Larsen wrote:
> Sorry - I must have missed your mail this weekend.
>
> NFS on Fedora 8 (I think) and above uses random ports to bind NFS with
> by default. This does increase security but makes making firewall rules
> quite tough. You'll most likely find that "rpcinfo" fails from a remote
> machine to your fedora box, which would be your firewall blocking.
> Also, when you say NFS - what version? If you don't specify you're using
> a pretty old version 1 - you should go with at least version 3 (4 if
> you're brave) to increase performance and security.
>
> In regards to the port dynamics, it's fairly simple to fix.
> Edit /etc/sysconfig/nfs and uncomment the settings for specific ports of
> your choosing. Then open those ports in IPTables. To test, do "rpcinfo
> -p <hostname>" from a remote box. It should return the port list that
> listens on fedora. If that works, you can mount NFS on the box. Be sure
> to specify nfs_vers=3,rsize=32768,wsize=32768 at a very minimum when you
> mount.
>
> If you're still are having problems, just update the thread.
/etc/sysconfig/nfs was fully commented. I tried uncommenting MOUNTD_NFS_V2
and V2 and setting them to "yes", though that is the default. Restarted
rpcbind and nfs. No change.
rpcinfo -p <fedorasystem> from remote system hangs, eventual rpc timeout.
rpcinfo -p localhost on Fedora shows:
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 55969 mountd
100005 1 tcp 37327 mountd
100005 2 udp 55969 mountd
100005 2 tcp 37327 mountd
100005 3 udp 55969 mountd
100005 3 tcp 37327 mountd
showmount -e <fedorasystem> from remote host hangs.
showmount -e localhost on fedora shows:
Export list for mums:
/home/jon 127.0.0.1,192.168.1.1/24
iptables -L on fedora shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT ah -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 state NEW udp dpt:mdns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ipp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ipp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-is-bridged
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Hope you see something in these data,
Jon
>
> --
>
> Best Regards
> Peter Larsen
>
> Wise words of the day:
> The linuX Files -- The Source is Out There.
> -- Sent in by Craig S. Bell, goat at aracnet.com
>
>
> On Tue, 2010-03-09 at 12:53 -0500, Jon LaBadie wrote:
>
> > I asked about this over the weekend and I'm hoping the
> > lack of replies was due to people skipping over it.
> >
> > I have several systems at home that are acting fine
> > as NFS servers and clients. But one, a Fedora 9 system,
> > works fine only as an NFS client.
> >
> > As a server the Fedora system can mount exported shares
> > back to itself (localhost), so it seems the server is up
> > and running. But remote systems get no response and
> > nothing is recorded in /var/log/messages on the Fedora server.
> >
> > I'm confident /etc/exports is set up suitably. And if not,
> > I'd expect access or permission error messages to be logged.
> >
> > SELINUX was set to permissive and nfs was an allowed activity.
> > But I've disabled SELINUX anyway (and rebooted) with no effect
> > on NFS.
> >
> > According to nmap, the NFS port (2049) is open for tcp traffic.
> >
> > The portmap service (rpcbind) is running and to liberalize
> > access I've set /etc/hosts.allow to ALL: ALL: ALLOW. It was
> > empty. hosts.deny is empty.
> >
> >
> > I'm at a loss as to why remote NFS mount requests don't seem
> > to make it to the NFS daemon. Any ideas?
> >
> > jon
>
>
>>> End of included message <<<
--
Jon H. LaBadie jon at jgcomp.com
JG Computing
12027 Creekbend Drive (703) 787-0884
Reston, VA 20194 (703) 787-0922 (fax)
More information about the Novalug
mailing list