Shorewall users - Feb 2003 - NFS config problem

Hello,

First let me say how much I appreciate Shorewall.  I just downloaded
shorewall-1.3.14.tgz, built and installed it without error, and had it working
with only minimal fiddling with the config files.

I''m having trouble getting NFS to work with Shorewall.  I followed the
info on the "Ports required for Various Services/ Applications" page
but I couldn''t get it to work.

I have an NFS server running on the same machine as my Internet connection
(details below) so I wondered if that was the problem.  After much experimenting
I added this to the ''policy'' file:
loc  fw  ACCEPT

And now my NFS share mounts and works just fine!

Is that additional entry to the ''policy'' file the
''design intended'' way to implement this or was this just a
fluke on my part?  If there is another. better way to do it I''d
appreciate the advice.

Thanks,

Bill


(Below is some additional information on my setup.)

My configuration is fairly simple.  I have 2 networked computers running Linux
2.4.19.  Computer #1 is connected to the Internet via dialup (ppp0).  It has
eth0 statically configured as 192.168.0.1 and has dhcpd running to provide an IP
to the second computer (overkill, I know, but it''s a test
configuration.)  Computer #1 also runs as an NFS server to share files with
Computer #2.

Before installing Shorewall I had hand-configured iptables to give me basic
masquerading so that Computer #2 could access the Internet.  All of that worked
fine.  From Computer #2 I could get a dynamic IP address, I could mount and
access the NFS share, and I could run various web clients.

I installed Sharewall in order to firewall my network because I''ll be
replacing the dial-up connection with a cable modem connection in the near
future.  Here is my Shorewall configuration (before adding the additional policy
entry described above):

zones:
net  Net    Internet
loc  Local  Local networks

interfaces:
net  ppp0  -       routefilter,norfc1918
loc  eth0  detect  routestopped

masq:
ppp0  eth0

rules:
ACCEPT  fw   net             tcp  53
ACDEPT  fw   net             udp  53
ACCEPT  loc  fw              tcp  22
ACCEPT  loc  fw:192.168.0.1  udp  111
ACCEPT  loc  fw:192.168.0.1  udp  2049
ACCEPT  loc  fw:192.168.0.1  udp  32700:

routestopped:
eth0  -

I started Shorewall and my web clients run just fine.  But my NFS share
doesnt'' work.  I get this:
/# mount 192.168.0.1:/ /mnt/nfs
mount: RPC: Unable to receive; errno = Connection refused

It''s interesting that when I stop Shorewall then my NFS connection
works (I presume because of the setting in routestopped), but now my web clients
don''t work becuase the masquerading has been turned off.

--On Tuesday, February 25, 2003 12:51:50 PM +0000 William Trenker 
<wdtrenker@yahoo.ca> wrote:
>
> I started Shorewall and my web clients run just fine.  But my NFS share
> doesnt'' work.  I get this: /# mount 192.168.0.1:/ /mnt/nfs
> mount: RPC: Unable to receive; errno = Connection refused
What did Shorewall log when you did this?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Tuesday, February 25, 2003 12:51:50 PM +0000 William Trenker 
<wdtrenker@yahoo.ca> wrote:
>
> Is that additional entry to the ''policy'' file the
''design intended'' way
> to implement this or was this just a fluke on my part?  If there is
> another. better way to do it I''d appreciate the advice.
>
It''s ok provided that you have complete trust in everyone in the
''loc'' zone.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

On Tue, 25 Feb 2003 13:55:22 -0800
Tom Eastep <teastep@shorewall.net> wrote:
> 
> What did Shorewall log when you did this?
> 
Excellent question.  An inspection of the log showed that the initial NFS
request from the client on port 111 was NOT udp but tcp.  It turns out, on my
system, that port 111 has to be enabled for tcp in addition to udp to make NFS
happy.

But that wasn''t enough.  I also found that I needed to enable udp
access on port 2049.  Finally, in my case anyway, I don''t need to have
access to ports 32700: for NFS to work.

So, in summary, on my system the ''/etc/shorewall/rules''
entries for NFS are:
ACCEPT  loc  fw  udp  111
ACCEPT  loc  fw  tcp  111
ACCEPT  loc  fw  udp  1024
ACCEPT  loc  fw  udp  2049

Thanks for your help.

Bill

--On Tuesday, February 25, 2003 03:43:11 PM +0000 William Trenker 
<wdtrenker@yahoo.ca> wrote:
> On Tue, 25 Feb 2003 13:55:22 -0800
> Tom Eastep <teastep@shorewall.net> wrote:
>>
>> What did Shorewall log when you did this?
>>
>
> Excellent question.  An inspection of the log showed that the initial NFS
> request from the client on port 111 was NOT udp but tcp.  It turns out,
> on my system, that port 111 has to be enabled for tcp in addition to udp
> to make NFS happy.
>
> But that wasn''t enough.  I also found that I needed to enable udp
access
> on port 2049.  Finally, in my case anyway, I don''t need to have
access to
> ports 32700: for NFS to work.
>
> So, in summary, on my system the ''/etc/shorewall/rules''
entries for NFS
> are: ACCEPT  loc  fw  udp  111
> ACCEPT  loc  fw  tcp  111
> ACCEPT  loc  fw  udp  1024
> ACCEPT  loc  fw  udp  2049
>
Ah -- the reason that you need tcp 111 is that you are using NFS locking 
which I do not. I probably should add that to the documentation.

I think you''re going to find though that you will need the high ports.
Once
you have mounted, what does your "shorewall show connections" indicate
for
UDP connections between the two boxes?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Tuesday, February 25, 2003 03:58:12 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
>
> --On Tuesday, February 25, 2003 03:43:11 PM +0000 William Trenker
> <wdtrenker@yahoo.ca> wrote:
>
>> On Tue, 25 Feb 2003 13:55:22 -0800
>> Tom Eastep <teastep@shorewall.net> wrote:
>>>
>>> What did Shorewall log when you did this?
>>>
>>
>> Excellent question.  An inspection of the log showed that the initial
NFS
>> request from the client on port 111 was NOT udp but tcp.  It turns out,
>> on my system, that port 111 has to be enabled for tcp in addition to
udp
>> to make NFS happy.
>>
>> But that wasn''t enough.  I also found that I needed to enable
udp access
>> on port 2049.  Finally, in my case anyway, I don''t need to
have access to
>> ports 32700: for NFS to work.
>>
>> So, in summary, on my system the
''/etc/shorewall/rules'' entries for NFS
>> are: ACCEPT  loc  fw  udp  111
>> ACCEPT  loc  fw  tcp  111
>> ACCEPT  loc  fw  udp  1024
>> ACCEPT  loc  fw  udp  2049
>>
>
I think that you''ll find that I had already documented UDP 2049 -- what
you
added was 1024. I think that''s probably because the local port range on
your client system starts at 1024 whereas it starts in the 37000 range on 
mine -- the next time that you mount, the port will almost certainly be 
different. IIRC, you are running Linux on the client so you can see what 
the local port range is via "cat
/proc/sys/net/ipv4/ip_local_port_range".

There is an RPC connection tracking patch in Netfilter patch-o-matic. I 
tried an earlier version and it sucked but possibly it has improved;
it''s
been in patch-o-matic for a lone while.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Tuesday, February 25, 2003 04:22:01 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
> IIRC, you are running Linux on the client so you can see
> what the local port range is via "cat
> /proc/sys/net/ipv4/ip_local_port_range".
>
Sorry -- I meant "server" in the above sentence.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net