headers
Dr. Michael J. Chudobiak | 2 Sep 2005 14:08
Favicon

Re: NFS connection dropped

Kimmo,

 > allowed. Which one is the _real_ reason for dropping the connection
 > cannot be extracted from the log message - this makes error-tracking a
 > little bit tricky...

Yes, for sure. However, Guarddog is just a GUI editor for iptables. 
iptables is responsible for the log format. I don't think the iptables 
log format is user-adjustable.

 >> STATD_PORT=4001
 >> LOCKD_TCPPORT=4002
 >> LOCKD_UDPPORT=4002
 >> MOUNTD_PORT=4003
 >
 > This makes the nfs and mountd ports to be static instead of being
 > dynamically set, right?

Yes. Actually, beware that the "/etc/sysconfig/nfs" file might be Red 
Hat specific. Check that your nfs daemon init script actually reads this 
file. It might not in Suse.

 > But, in my /etc/services the nfs (tcp/udp) is connected to 2049, mountd
 > to 763 and the following lines exist, too:
 > terabase        4000/tcp   # Terabase
...
 > pxc-roid        4004/udp   # pxc-roid
 >
 > Do I see a problem here??
(Continue reading)

Permalink | Reply |
headers
Simon Edwards | 3 Sep 2005 13:16
Favicon

Re: NFS connection dropped

Hello,

On Friday 02 September 2005 14:08, Dr. Michael J. Chudobiak wrote:
> So... ideally the developer would modify GD to become aware of and open 
> portmap-assigned ports for enabled services. Whether that's actually 
> possible, I have no idea! But it would be an extremely useful feature...

It gets very tricky very quickly. You can look up the allocated port numbers 
on the machine that is running Guarddog, but that doesn't really work when 
you want to connect (as a client) to a remote NFS share. (= need the port 
numbers for the remote machine). And it doesn't work when Guarddog is on a 
gateway machine and NFS is just passing through Guarddog. In that case you 
need to know the port numbers for the NFS servers on either side of the 
gateway. very ugly. NFS was put together before firewalls were a concern, 
which is why it sucks so much. The only remotely practical solution is to pin 
down the ports numbers on all of your NFS machines.

cheers,

--

-- 
Simon Edwards             | Guarddog Firewall
simon <at> simonzone.com       | http://www.simonzone.com/software/
Nijmegen, The Netherlands | "ZooTV? You made the right choice."

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
(Continue reading)

Permalink | Reply |
headers
Dr. Michael J. Chudobiak | 5 Sep 2005 21:29
Favicon

Re: NFS connection dropped

> It gets very tricky very quickly. You can look up the allocated port numbers 
> on the machine that is running Guarddog, but that doesn't really work when 
> you want to connect (as a client) to a remote NFS share. (= need the port 
> numbers for the remote machine). And it doesn't work when Guarddog is on a 
> gateway machine and NFS is just passing through Guarddog. In that case you 
> need to know the port numbers for the NFS servers on either side of the 
> gateway. very ugly. NFS was put together before firewalls were a concern, 
> which is why it sucks so much. The only remotely practical solution is to pin 
> down the ports numbers on all of your NFS machines.

Simon,

Thanks for the explanation. It is a messy situation!

Perhaps the "protocol help" text could be updated for NIS and NFS to 
mention that additional ports need to be pinned and manually defined and 
opened before NIS and NFS will actually work with GD. That will save 
some grief for users in the future! It takes a lot of debugging to 
figure this out on your own :-(

- Mike

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Permalink | Reply |

Gmane