Hi all,
I've been trying to secure a host as an nfs client and i'm running into
some issues.
I want host a: 192.168.0.1 to be able to mount an nfs export from host b
192.168.0.2
but I want host a to be fairly secure. (ignore host b's ipchains right now
- it doesn't have any just yet :)
so host b is wide open.
I export the share and before I turn on ipchains I can mount and ls and
have no problems with the export.
then I turn on ipchains - I allow connections from 2049,111,1024, and the
necessary lower ports for nfsd (more or less I allow 111->1024 and 2049
udp from the server)
so i umount and mount the export again - no problem.
I ls in the top dir a-ok.
I do an ls -R and I get two or 3 dirs deep and it hangs.
I know its not nis/name services b/c I'm not using anything other than
local name services and my nsswitch.conf is very sensible.
so I check the logs (b/c I'm logging all denied connections via ipchains)
and I see that packets from 65535 udp from the server to the client is
being rejected repetetively.
so I stop the ls -R and I open up port 65535 udp both directions and I
flush and reload my ipchains.
I do another ls -R and I get the same problem.
but more importantly I get ipchains reporting rejected packets on 65535 udp
from the server to the client.
While ipchains is logging reporting the rejected packets I notice that the
client believes that the nfs server is not responding.
so i do some more checking.
I open up ports 0->65535 udp from the server and everything works. So I
start narrowing the range. I explictly allow 65535 and I allow 0->45000
and it hangs on the ls -R AND I'm still getting reports in my logs that
port 65535 udp is blocked.
so I setup multiple chain rules and I log ALL of them.
the rules allow ports 0->15000 then the next rules allows ports
15001->30000 etc etc until I have the entire range covered. In this
configuration - where I have EVERY port open but in multiple chains it
still fails and reports 65535 udp being rejected.
no other ports reported as rejected.
I've checked and rechecked my ipchains I believe they are ok. Right now
I'm just wondering if I've encountered a bug in nfs or in ipchains.
I'm on kernel 2.2.14 from redhat 6.2 (release 12)
I've got nfs-utils 0.1.7 and ipchains 1.3.9
and i'm open to suggestions.
I can work around the problem by opening up the client ENTIRELY to the nfs
server but I shouldn't have to and I'd like to know why its doing this.
I'm only subscribed to the digest version so please CC me any replies.
Thanks
-sv
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:14 EST