I''m trying to mount an NFS share from the firewall and not having much
luck.
On my ''loc'' zone machine, NFS is setup and I think working
fine.
# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 1088 status
100024 1 tcp 1127 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1125 nlockmgr
100021 3 udp 1125 nlockmgr
100021 4 udp 1125 nlockmgr
100005 1 udp 1126 mountd
100005 1 tcp 1222 mountd
100005 2 udp 1126 mountd
100005 2 tcp 1222 mountd
100005 3 udp 1126 mountd
100005 3 tcp 1222 mountd
On the firewall I do the following:
# mount -v -t nfs dhcp010:/mnt/share2fw
mount: RPC: Unable to send; errno = Operation not permitted
The Shorewall log shows:
May 28 22:40:40 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.10
LEN=156 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=778 DPT=1126
LEN=136
My question is how do I know what port mountd is listening on the NFS server (it
changes
as the service is started/stopped, and is assigned by the RPC portmapper) to
know in
advance which connections to allow from the firewall (NFS client) to the NFS
server?
In the above case it''s 1126. It will be different after a reboot or
start/stop of the NFS
service.
I really am not enthused about opening all ports over 1024 from the FW to the
host.
Can Shorewall help here, or am I just fighting the inevitable?
Here''s my policy file (which denies traffic from $FW to loc in
general):
loc net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
Here''s my rules file:
# Local Network to Internet
# Globally allowed by policy
# Reject attempts by trojans to call home
REJECT:info loc net tcp ircd
#
# Local Network to Firewall
# Globally rejected by policy
ACCEPT loc $FW tcp ssh
ACCEPT loc $FW tcp time,domain,ntp
ACCEPT loc $FW tcp cvspserver,snmp,traceroute
ACCEPT loc $FW udp time,domain,ntp
ACCEPT loc $FW udp cvspserver,snmp,traceroute
ACCEPT loc $FW tcp webmin
#
# Internet to Local
# Globally rejected by policy
# Next lines allows ICQ chat and transfers
ACCEPT net loc tcp auth
ACCEPT net loc tcp 4000:4100
# Allow RealMedia (post-G2) Streaming Media
ACCEPT net loc udp 6970
# Allow BitTorrent
ACCEPT net loc tcp 6969
ACCEPT net loc tcp 6881:6889
#
REJECT net loc icmp echo-request
REJECT net loc tcp www,https
#
# Internet to Firewall
ACCEPT net $FW tcp ssh
ACCEPT net $FW tcp domain
ACCEPT net $FW udp domain
# Allow A.B.C.D to ping us
ACCEPT net $FW:A.B.C.D icmp echo-request
REJECT net $FW icmp echo-request
# Just to avoid logging these clowns
DROP net $FW tcp ms-sql-s
DROP net $FW udp ms-sql-m
DROP net $FW tcp smtp
DROP net $FW tcp ftp
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Firewall to Local
# Globally rejected by policy
ACCEPT $FW loc tcp ssh
ACCEPT $FW loc icmp echo-request
ACCEPT $FW loc tcp nfs,sunrpc
ACCEPT $FW loc udp nfs,sunrpc
#
# Firewall to Internet
#ACCEPT $FW net:$NTPSERVER udp ntp
ACCEPT $FW net tcp time,ntp,domain
ACCEPT $FW net udp time,ntp,domain
ACCEPT $FW net tcp cvspserver
ACCEPT $FW net udp cvspserver
ACCEPT $FW net tcp www,https
ACCEPT $FW net tcp ssh
ACCEPT $FW net tcp whois
ACCEPT $FW net icmp echo-request
ACCEPT $FW net udp traceroute
ACCEPT $FW net tcp ftp
#
##############################################################################
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients.
ACCEPT:info loc net tcp 1024: ftp-data
# LOC ---
DROP net loc tcp nfs,printer,sunrpc
DROP net loc udp nfs,printer,sunrpc
DROP net loc tcp xfs
DROP net loc tcp x11:6009
Mike808/
---------------------------------------------
http://www.valuenet.net