Hello All, > I have been trying, with no luck so fat to mount a directory from a > machine that I have behind the Eigerstein LRP to a client machine > outside the firewall.
Considering that, AFAIK, NFS has a very bad reputation security-wise I kinda think that this is a very bad idea (TM) (-; but if you still want to do it I think reading the following messages <http://www.geocrawler.com/archives/3/90/1999/2/0/350356/> and <http://www.esker.fr/itspublic/Documents/20000804044B.htm> might be useful to you. Apparently (& as far as I'm concerned fortunatly) NFS doesn't appear to be very firewall friendly (It's apparently the "port mapper" which listens at port 111 tcp & udp (apparently, BTW, the name of this service is sunrpc/portmap) which hands out the port addresses which will be used...) > I have opened a udp port 2049 which is supposed to be for nfs, but > still I cannot seem to mount the server directory even though I can > mount the server directory to other machines that are also inside the > firewall. According to the list of "well known port numbers" (http://www.iana.org/assignments/port-numbers), and to the messages I posted the URL to previously you would have to open this in udp also (and as I believe Ray suggested probably to port forward them too...) BTW, I do believe that they are usually opened by default... > Actually because of the nature of our setup here, w have 2 machines > that need allow for nfs mounting and although my personnal thoughts > are that they too should be behind the firewall completely, > unfortunately I do not get the last word in this. (-; (-; (-; If the President/CEO doesn't get the last word on this, who does? (I confess, I paid a visit to your website... (rackmounted servers/firewall, nice... (-; ). (-; (-; (-; Couldn't you establish a VPN tunnel between them instead, wouldn't that work better & be more secure? > Opening port 2049 means that I have added this rule to the > ipfilter.conf file. > > $IPMASQADM portfw -a -P udp -L $EXTERN_IP 2040 -R 192.168.1.16 2049 BTW, this is probably a typo that got there when you retyped that line but you've got port 2040 (instead of 2049) on the extern interface... If you do open these ports I would highly suggest that you open them only for the IP addresses of the other pc/server as some of these ports (especially 111) are regularly probed by people wanting to get into your pc... Good luck! Nicolas Riendeau PS: Please forgive my English as it is not my mother tongue. Thanks! _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
