On Sat, 2006-09-30 at 20:18 -0400, Jim Perrin wrote:
In the file /etc/sysconfig/iptables are the lines: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
and there are not any deny lines above these. I think those lines were added when I ran system-config-securitylevel-tui. Those are the only lines that I can find that mention port 2049 or nfs.
These lines accept NEW connections. If the connection lags/times out but does not start again as 'new', it may be blocked. You should consider just allowing 2049 from a particular subnet, without other constraints on the packets.
NFS is also a bit like ftp, and likes to play with random ports, which tend to make firewalls angry. You'll want something in /etc/sysconfig/nfs like the following:
STATD_PORT=4000 STATD_OUTGOING_PORT=4004 LOCKD_TCPPORT=4001 LOCKD_UDPPORT=4001 MOUNTD_PORT=4002
Obviously you'll need to salt this to taste, and ensure that ports 4000:4004 are open (in this example) as well in your firewall.
Jim,
Thanks for the information.
Unfortunately, I tried this (and I thought I did it right) and I am still having the same firewall problem. Evidently, I am still doing something wrong. Since I haven't done this before, I am sure that I am missing something, but at this point, I am not sure what.
I added the /etc/sysconfig/nfs file with your lines (it wasn't there before). I changed the /etc/sysconfig/iptables to point to ports 4000:4004 instead of 2049 for both TCP and UDP. I left the rest of those lines, and everything else, in iptables the same.
After making the changes, I have restarted the nfs, nfslock and iptables services. I also did an exportfs -ra after making the changes.
Not sure what else to do at this point. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: QOTD: "When she hauled ass, it took three trips."