Hi Nicolas, I think that after much thought that I will opt to try to explain to them the security problems of using NFS over the firewall and try to use another solution instead.
Thanks for all of the help to you and everyone on the list who always seems to try to answer most of my seemingly dumb questions. Cheers, Lonnie > Hi Lonnie! > > > Actually was are still a amall company and this particular job > > if for some friends, a research group the university who has > > recently had problems, who will not listen to reason about the > > problems of port- forwarding services like NFS. With that in > > mind, I told them that I would help get them as secure as > > possible given their specific > > requirements. > > Sorry, that's what I realized when I rethought about this (ie > that it must have been something not internal to your > company...). > > BTW, I hope these people are not in CS... > > > Like many people in the academic arena, it will take getting > > hacked and attacked a few time before they realize that they > > should have listened to more well informed people in the past, > > like me, who has tried very hard to get them out of the current > > mentality of "patch- work" until the next problem. > > If these weren't your friends I would almost be tempted to > suggest that you get this in writing that they prefer that > solution over a more secure one (after being informed of the > security implications).... (Some good ol' CUA...) > > > So, being this, I will simple try to make the best out of what > > they have and will let get done. > > The problem seem to be that NFS doesn't seem to be very firewall > friendly... > > > These guys will learn with time I am sure. > > For their sake I hope so... (and before they get seriously > hacked) > >> After making some changes to the firewall and setting up the >> port- forwarding for sunrpc and nfs on udp packets, I am no >> longer getting an RPC time out but now just: > > mount: RPC: Unable to receive; errno = Connection refused > > This might seem like a dumb question (and sorry if you mentionned > the answer to this one before, I couldn't find it) but where they > communicating with each other before the firewall was installed? > > Anything in the logs? > > I haven't "played" with NFS recently but if I had that message I > think I would check if I got the appropriate/relevant entries in > hosts.allow & hosts.deny (ie lines for portmap, lockd, mountd, > rquotad & statd). > > [The text at the following URL might be useful in getting this > right: > <http://www.smartcomputing.com/editorial/article.asp? article=articles%2F2001%2Fs1206%2F48s06web%2F48s06web%2Easp>] > > (Sorry, this might be two long for the mailing list, you'll > probably have to cut & paste it...) > >> >> on the client machine when I try to mount the directory. >> >> The client can been seen on the DNS as well as the server has >> the client IP in its hosts file. > > I assumed here that you meant the hosts files and not the > hosts.allow & hosts.deny file, sorry if that was not the case... > >> >> Any ideas from here? >> > > BTW, did you try opening the ports mentionned in the messages I > posted? Apparently it's not easy getting them right but I do > believe one of the messages actually mentionned a way of finding > them out (rpcinfo -p or rpcinfo -p localhost) > > I did see a mention at the following URL > <http://www.io.com/help/linux/NFS-HOWTO-5.html> (NFS and > firewalls) that it might be possible to change the ports used by > NFS to some specific ports but how this is done I unfortunatly > don't know (sorry...). > > Have a nice day & good luck! > > Nick > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user -- Lonnie Cumberland OutStep Technologies Incorporated (313) 832-7366 URL: http://www.outstep.com EMAIL: [EMAIL PROTECTED] : [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
