Shorewall users - Feb 2004 - NFS mount fail although NFS trafic go thru

Hi,
I find this really curious. I''m not real sure what causes this problem,
but I
thought someone else might have encountered this. 
Let''s say I have a machine "prod" that runs shorewall (1 IP 1
interface
(eth0)) using the Quick Start guides. I open the ports to let NFS traffics go 
thru, just as described in www.shorewall.net.

So, prod is the NFS server. Now when I try to mount nan NFS exported dir from 
another machine, mount will fail (RPC time out). In the /var/log/messages of 
prod, I find this:

Feb 18 11:18:14 prod kernel: Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:04:75:ab:e7:26:00:10:dc:27:e3:d7:08:00 SRC=160.36.28.203
DST=<prod_ip>
LEN=172 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=659 DPT=942 LEN=152 

I''m curios why my "mount" command even try to access port
942.
But if I do ''shorewall stop'' and ''shorewall
clear'' first, and then mount the
NFS export from another machine, and then bring shorewall up with
''shorewall
start'', everything is OK. NFS traffics can go thru fine. 

So why the mount command try to use different ports that what''s
specify? Is
this the OS problem (prod is an Redhat Enterprise 3, while the other is a RH 
7.3) ?

I vaguely remember then the DPT is not always the same, which even makes this 
weirder.

RDB  
-- 
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy 
something, don''t you? Really, I''m not out to destroy 
Microsoft. That will just be a completely unintentional 
side effect."
                 - Linus Torvalds -

On Wednesday 18 February 2004 09:57 am, Reuben D. Budiardja
wrote:
> Hi,
> I find this really curious. I''m not real sure what causes this
problem, but
> I thought someone else might have encountered this.
> Let''s say I have a machine "prod" that runs shorewall (1
IP 1 interface
> (eth0)) using the Quick Start guides. I open the ports to let NFS traffics
> go thru, just as described in www.shorewall.net.

You should have read the disclaimer there -- those rules worked for me going 
between RH9 systems and don''t work in general.

To avoid future readers from overlooking this same disclaimer, I''ve
replaced
those rules with other rules that will work for everyone.

	http://shorewall.net/ports.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 18 February 2004 10:51 am, Reuben D. Budiardja
wrote:
> On Wednesday 18 February 2004 01:24 pm, Tom Eastep wrote:
> > On Wednesday 18 February 2004 09:57 am, Reuben D. Budiardja wrote:
> > > Hi,
> > > I find this really curious. I''m not real sure what
causes this problem,
> > > but I thought someone else might have encountered this.
> > > Let''s say I have a machine "prod" that runs
shorewall (1 IP 1 interface
> > > (eth0)) using the Quick Start guides. I open the ports to let NFS
> > > traffics go thru, just as described in www.shorewall.net.
> >
> > You should have read the disclaimer there -- those rules worked for me
> > going between RH9 systems and don''t work in general.
>
> I''ve read the disclaimer, but wasn''t really thinking why
it wouldn''t work
> (lack of understanding I guess). So are you saying that it''s the
nature of
> NFS basically to use "random" udp port?
It is the nature of RPC to use "random" ports (assigned via portmap).
NFS is
an example of an RPC-based application.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 18 February 2004 01:24 pm, Tom Eastep
wrote:
> On Wednesday 18 February 2004 09:57 am, Reuben D. Budiardja wrote:
> > Hi,
> > I find this really curious. I''m not real sure what causes
this problem,
> > but I thought someone else might have encountered this.
> > Let''s say I have a machine "prod" that runs
shorewall (1 IP 1 interface
> > (eth0)) using the Quick Start guides. I open the ports to let NFS
> > traffics go thru, just as described in www.shorewall.net.
>
> You should have read the disclaimer there -- those rules worked for me
> going between RH9 systems and don''t work in general.
I''ve read the disclaimer, but wasn''t really thinking why it
wouldn''t work
(lack of understanding I guess). So are you saying that it''s the nature
of
NFS basically to use "random" udp port?

Thanks for the reply.
RDB
-- 
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy 
something, don''t you? Really, I''m not out to destroy 
Microsoft. That will just be a completely unintentional 
side effect."
                 - Linus Torvalds -

On Wednesday 18 February 2004 01:49 pm, Tom Eastep
wrote:
> On Wednesday 18 February 2004 10:51 am, Reuben D. Budiardja wrote:
> > On Wednesday 18 February 2004 01:24 pm, Tom Eastep wrote:
> > > On Wednesday 18 February 2004 09:57 am, Reuben D. Budiardja
wrote:
> > > > Hi,
> > > > I find this really curious. I''m not real sure what
causes this
> > > > problem, but I thought someone else might have encountered
this.
> > > > Let''s say I have a machine "prod" that
runs shorewall (1 IP 1
> > > > interface (eth0)) using the Quick Start guides. I open the
ports to
> > > > let NFS traffics go thru, just as described in
www.shorewall.net.
> > >
> > > You should have read the disclaimer there -- those rules worked
for me
> > > going between RH9 systems and don''t work in general.
> >
> > I''ve read the disclaimer, but wasn''t really thinking
why it wouldn''t work
> > (lack of understanding I guess). So are you saying that it''s
the nature
> > of NFS basically to use "random" udp port?
>
> It is the nature of RPC to use "random" ports (assigned via
portmap). NFS
> is an example of an RPC-based application.
Okay. Thanks for the enlightenment :)

RDB

-- 
Reuben D. Budiardja
Department of Physics and Astronomy
The University of Tennessee, Knoxville, TN
---------------------------------------------------------
"To be a nemesis, you have to actively try to destroy 
something, don''t you? Really, I''m not out to destroy 
Microsoft. That will just be a completely unintentional 
side effect."
                 - Linus Torvalds -

On Wednesday 18 February 2004 11:03 am, Reuben D. Budiardja wrote:
> >
> > It is the nature of RPC to use "random" ports (assigned via
portmap). NFS
> > is an example of an RPC-based application.
>
> Okay. Thanks for the enlightenment :)
You''re welcome.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net