1 |
Hi all, |
2 |
|
3 |
I'm trying to configure my firewall in order to be able to mount a |
4 |
remote NFS exported directory. |
5 |
|
6 |
AFAIK I must open port 111 tcp/udp (portmat). rpcinfo confirms it: |
7 |
|
8 |
# rpcinfo -p |
9 |
program vers proto port |
10 |
100000 2 tcp 111 portmapper |
11 |
100000 2 udp 111 portmapper |
12 |
|
13 |
Well, so I set next rule in my firewall: |
14 |
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT |
15 |
-A INPUT -d 193.146.196.198 -i eth0 -p tcp -m tcp --dport 111 -j LOG |
16 |
--log-prefix "NFS (tcp) Input: " --log-level 7 -A INPUT -d |
17 |
193.146.196.198 -i eth0 -p udp -m udp --dport 111 -j LOG --log-prefix |
18 |
"NFS (udp) Input: " --log-level 7 -A INPUT -d 193.146.196.198 -i eth0 |
19 |
-p udp -m udp --dport 111 -j ACCEPT |
20 |
|
21 |
|
22 |
And restart my firewall. |
23 |
(I use same rules for other ports, ssh, smtp...) |
24 |
|
25 |
Well, I'm no able to mount the directory, and I see this in logs: |
26 |
|
27 |
UDP privileged ports DROP:IN=eth0 OUT= |
28 |
MAC=00:11:11:20:6e:81:00:16:35:0a:a8:b6:08:00 SRC=193.146.196.234 |
29 |
DST=193.146.196.198 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=57 DF PROTO=UDP |
30 |
SPT=111 DPT=822 LEN=36 |
31 |
|
32 |
and this logs comes from next rule: |
33 |
|
34 |
-A INPUT -d 193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j LOG |
35 |
--log-prefix "UDP privileged ports DROP:" --log-level 7 -A INPUT -d |
36 |
193.146.196.198 -i eth0 -p udp -m udp --dport 0:1023 -j REJECT |
37 |
|
38 |
which is at bottom of all rules... |
39 |
|
40 |
I don't understand what happen, cause I can telnet to port 111 and get |
41 |
response. And I hace portmat in that port: |
42 |
|
43 |
#netstat -putan |grep 111 |
44 |
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap |
45 |
udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap |
46 |
|
47 |
I do the mount: |
48 |
|
49 |
lx-arnau ~ # mount -t nfs hostname:/export/media /mnt/musica/ |
50 |
mount: RPC: Program not registered |
51 |
|
52 |
Got the error... but: |
53 |
|
54 |
lx-arnau ~ # netstat -putan |grep 111 |
55 |
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 10028/portmap |
56 |
tcp 0 0 my_IP:60394 nfs_server:111 TIME_WAIT - |
57 |
udp 0 0 0.0.0.0:111 0.0.0.0:* 10028/portmap |
58 |
|
59 |
... |
60 |
|
61 |
If I disable firewall, I can mount with no problem... |
62 |
what am I missing?¿ |
63 |
|
64 |
Thanks in advance. |
65 |
|
66 |
-- |
67 |
Arnau Bria |
68 |
http://blog.emergetux.net |
69 |
"Flanders, de nada sirve rezar: yo mismo acabo de hacerlo y los dos |
70 |
no vamos a ganar" |
71 |
~Homer J. Simpson~ |
72 |
|
73 |
-- |
74 |
gentoo-user@g.o mailing list |