Re: Firewall and nfs mounts
On Wednesday 26 August 2009 19:41:02 Todd Denniston wrote: Anne Wilson wrote, On 12/23/-28158 02:59 PM: On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote: Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. Anne Anne, If you are using NFS V2/3 instead of 4 (TCP) then the following might be as useful to you as it was to me. :) http://kbase.redhat.com/faq/docs/DOC-3259 Hi, Todd. No, I'm using NFS4. I'm getting some off-list help, so it won't be immediate, but I have hopes of finding where the problem lies and dealing with it. Of course if you had time/inclination you would be using something other than the 1-10005 range where everyone will now be looking for your NFS, if they could only find a way to get past your router. :) :-) I'll bear that in mind, once I have the thing working. At the moment, with the firewall enabled, even I can't reach my home directory, so I'm not exactly worried about others doing so :-) Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
On Tuesday 25 August 2009 19:27:38 Bill Davidsen wrote: Anne Wilson wrote: On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote: Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. For internal use the insecure option may be all you need. I export some things from various servers, attached is a little part of the process, a function to do the export by bind mounting directories into the /export space then exporting from there. That way any moves of the real location are hidden, clients always mount a short name. Note that this attachment has been cleansed a bit of addresses and comments, take as an example to test before use. Thanks, Bill. I'll study it. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Re: Firewall and nfs mounts
Anne Wilson wrote, On 12/23/-28158 02:59 PM: On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote: Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. Anne Anne, If you are using NFS V2/3 instead of 4 (TCP) then the following might be as useful to you as it was to me. :) http://kbase.redhat.com/faq/docs/DOC-3259 Of course if you had time/inclination you would be using something other than the 1-10005 range where everyone will now be looking for your NFS, if they could only find a way to get past your router. :) -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote: Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
Anne Wilson wrote: On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote: Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. For internal use the insecure option may be all you need. I export some things from various servers, attached is a little part of the process, a function to do the export by bind mounting directories into the /export space then exporting from there. That way any moves of the real location are hidden, clients always mount a short name. Note that this attachment has been cleansed a bit of addresses and comments, take as an example to test before use. -- Bill Davidsen david...@tmr.com We have more to fear from the bungling of the incompetent than from the machinations of the wicked. - from Slashdot #!/bin/bash # export the image of the CentOS-5.3 /var/cache/yum for updates # $Id: do_exports 1.2 2009/05/04 13:48:31 root Stable root $ function ExPort() { # See if the mount point is present SourcePt=$1 MountPt=/exports/$2 ExpOptions=${3:-rw,insecure,no_root_squash} # see if the mount point exists [ -d ${MountPt} ] || mkdir -p ${MountPt} || return 2 # bind mount the directory where you export it # this avoids changing the mount in all user machines if ! mount | grep -q ${MountPt}.*bind; then mount -o bind ${SourcePt} ${MountPt} || return 2 fi # now do the actual export exportfs -o ${ExpOptions} 10.4.60.0/23:${MountPt} } # unexport all, start over exportfs -uav # do the approved exports # /var/cache/yum for all CentOS 5.3 machines ExPort /mnt/tmp/backups/C53cache C53VCY # /var/cache/yum for FC11 ExPort /mnt/tmp/workspace/FC11/VCY/ FC11VCY # FC10 workspace ExPort /mnt/tmp/10space tenspace # in case the master copy of /common is down # machines will try to use this one ExPort /mnt/backups/common common ro,insecure -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Firewall and nfs mounts
What ports are necessarily opened on an nfs server? Does the client need any ports opened? Thanks Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -Bill -- Bill McGonigle, Owner BFC Computing, LLC http://bfccomputing.com/ Telephone: +1.603.448.4440 Email, IM, VOIP: b...@bfccomputing.com VCard: http://bfccomputing.com/vcard/bill.vcf Social networks: bill_mcgonigle/bill.mcgonigle -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. Anne -- New to KDE4? - get help from http://userbase.kde.org Just found a cool new feature? Add it to UserBase signature.asc Description: This is a digitally signed message part. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
On Mon, 2009-08-24 at 16:21 +0100, Anne Wilson wrote: Since a gui tool was provided I expected it to do the necessary (this is system-config-securitylevels on CentOS) but it doesn't. Yes, but it's only half the problem. You need to configure the NFS server to be firewall friendly, too. It's not, by default. I don't see any advantage in that, either. I would have thought, that by now, Fedora's defaults would be for NFS to be configured to use NFS4, and use fixed ports. The firewall offers a NFS4 prepared solution, but the NFS server does not. I like to use autofs, so that accessing /net/servername/exportname/path automatically mounts and provides access. But for that to work, I've either got to trust a large range of ports, trust ALL LAN traffic, or reconfigure the NFS server. I can't put mounts in the fstab file, because some computers aren't always part of the LAN. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Firewall and nfs mounts
Anne Wilson wrote: On Monday 24 August 2009 15:44:20 Bill McGonigle wrote: On 08/24/2009 08:15 AM, Anne Wilson wrote: What ports are necessarily opened on an nfs server? Does the client need any ports opened? If you can limit yourself to NFSv4 you're much better off in this department. I have this on an NFSv4 server: # NFS -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.1.32/27 --dport 2049 -j ACCEPT and nothing on a working client other than the standard: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Thanks. That's something to work on. Although I have had a working firewall in the past, I'm not really familiar with iptables setup. Since a gui tool was provided I expected it to do the necessary (this is system-config- securitylevels on CentOS) but it doesn't. I used shorewall to set up my firewall long ago, and I'm beginning to think I might be better of seeing if there's a package for CentOS. Gui tools seem nice, but I don't like the fact that they rarely tell you what the are and aren't doing. When it comes to a shorewall package for CentOS or RHEL you can enable the EPEL repository https://fedoraproject.org/wiki/EPEL Ed signature.asc Description: OpenPGP digital signature -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines