Hi Lonnie! > Actually was are still a amall company and this particular job if for > some friends, a research group the university who has recently had > problems, who will not listen to reason about the problems of port- > forwarding services like NFS. With that in mind, I told them that I > would help get them as secure as possible given their specific > requirements.
Sorry, that's what I realized when I rethought about this (ie that it must have been something not internal to your company...). BTW, I hope these people are not in CS... > Like many people in the academic arena, it will take getting hacked > and attacked a few time before they realize that they should have > listened to more well informed people in the past, like me, who has > tried very hard to get them out of the current mentality of "patch- > work" until the next problem. If these weren't your friends I would almost be tempted to suggest that you get this in writing that they prefer that solution over a more secure one (after being informed of the security implications).... (Some good ol' CUA...) > So, being this, I will simple try to make the best out of what they > have and will let get done. The problem seem to be that NFS doesn't seem to be very firewall friendly... > These guys will learn with time I am sure. For their sake I hope so... (and before they get seriously hacked) > After making some changes to the firewall and setting up the port- > forwarding for sunrpc and nfs on udp packets, I am no longer getting > an RPC time out but now just: > mount: RPC: Unable to receive; errno = Connection refused This might seem like a dumb question (and sorry if you mentionned the answer to this one before, I couldn't find it) but where they communicating with each other before the firewall was installed? Anything in the logs? I haven't "played" with NFS recently but if I had that message I think I would check if I got the appropriate/relevant entries in hosts.allow & hosts.deny (ie lines for portmap, lockd, mountd, rquotad & statd). [The text at the following URL might be useful in getting this right: <http://www.smartcomputing.com/editorial/article.asp?article=articles%2F2001%2Fs1206%2F48s06web%2F48s06web%2Easp>] (Sorry, this might be two long for the mailing list, you'll probably have to cut & paste it...) > > on the client machine when I try to mount the directory. > > The client can been seen on the DNS as well as the server has the > client IP in its hosts file. I assumed here that you meant the hosts files and not the hosts.allow & hosts.deny file, sorry if that was not the case... > > Any ideas from here? > BTW, did you try opening the ports mentionned in the messages I posted? Apparently it's not easy getting them right but I do believe one of the messages actually mentionned a way of finding them out (rpcinfo -p or rpcinfo -p localhost) I did see a mention at the following URL <http://www.io.com/help/linux/NFS-HOWTO-5.html> (NFS and firewalls) that it might be possible to change the ports used by NFS to some specific ports but how this is done I unfortunatly don't know (sorry...). Have a nice day & good luck! Nick _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
