[CentOS] firewall issue

Ski Dawg centos at skidawg.org
Sun Oct 1 17:07:37 UTC 2006


On Sat, 2006-09-30 at 20:18 -0400, Jim Perrin wrote:
> > In the file /etc/sysconfig/iptables are the lines:
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049
> > -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049
> > -j ACCEPT
> >
> > and there are not any deny lines above these. I think those lines were
> > added when I ran system-config-securitylevel-tui. Those are the only
> > lines that I can find that mention port 2049 or nfs.
> These lines accept NEW connections. If the connection lags/times out
> but does not start again as 'new', it may be blocked. You should
> consider just allowing 2049 from a particular subnet, without other
> constraints on the packets.
> 
> NFS is also a bit like ftp, and likes to play with random ports, which
> tend to make firewalls angry. You'll want something in
> /etc/sysconfig/nfs like the following:
> 
> STATD_PORT=4000
> STATD_OUTGOING_PORT=4004
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> 
> Obviously you'll need to salt this to taste, and ensure that ports
> 4000:4004 are open (in this example) as well in your firewall.

Jim,

Thanks for the information.

Unfortunately, I tried this (and I thought I did it right) and I am
still having the same firewall problem. Evidently, I am still doing
something wrong. Since I haven't done this before, I am sure that I am
missing something, but at this point, I am not sure what.

I added the /etc/sysconfig/nfs file with your lines (it wasn't there
before). I changed the /etc/sysconfig/iptables to point to ports
4000:4004 instead of 2049 for both TCP and UDP. I left the rest of those
lines, and everything else, in iptables the same.

After making the changes, I have restarted the nfs, nfslock and iptables
services. I also did an exportfs -ra after making the changes.

Not sure what else to do at this point.
--
Doug

Registered Linux User #285548 (http://counter.li.org)
----------------------------------------
Random Thought:
QOTD:
	"When she hauled ass, it took three trips."




More information about the CentOS mailing list