Hello,
I am running an NFS server on a Debian machine for a set of scientific
instruments that understand only NFS (so please do not tell me that NFS is
insecure - I already know that and realize that there is no option here).
I have gone through the following document, modifying things
(in /etc/services, modules.conf - yes I did use update-modules), etc. :
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
$rpcinfo -p yields :
$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
100003 2 udp 2049 nfs
100003 2 tcp 2049 nfs
100005 1 udp 4002 mountd
100005 2 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 tcp 4002 mountd
All these ports are open on my firewall (both ways - I am using guarddog for
firewall). Yet, I see blocked packets in my syslog :
/var/log/syslog:Sep 28 16:51:56 labmonkey kernel: DROPPED IN=eth0 OUT=
MAC=<> SRC=<> DST=<> LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=37 PROTO=ICMP
TYPE=8 CODE=0 ID=31488 SEQ=4
"<>" = obfuscated IP and Mac addresses.
I then allowed ICMP requests (a highly risky thing to do). Yet, the clients
complain that they cannot mount the NFS share. When I drop the firewall
entirely, they can, so the underlying NFS server setup is allright. The
problem is the firewall.
Now, how do I whitelist a client (by IP address) using iptables so that it
can connect to any damn port it pleases etc. (as if the firewall did not
exist for that particular host) ? With BSD's pf, this is very easy to do,
but I have never been particularly comfortable with the relatively arcane
syntax of iptables. Hence the question.
Is it possible to integrate whatever modification you suggest with guarddog
(for obvious reasons, I do not want multiple programs / methods messing
with the same firewall - that is chaos).
Thanks.
Similar Threads
Linear Mode
