[CentOS] losing NFS connection
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Apr 25 14:46:05 UTC 2005
Angelo Machils wrote:
> Hello there!
>
> Perhaps this is a little off-topic, but I notice this only on the Centos
> box.
> I'm running Centos 4 on an AMD64 which has the following entries in the
> fstab to connect to NFS shares on a Fedora3 box:
> I have opened ports 111 (TCP), 648 (TCP), 651 (TCP) and 2049 (TCP and
> UDP) in iptables on the FC3 box and I can connect to them, but after a
> while I seem to loose the connection to the shares.
NFS uses RPC, and RPC can be a real bitch to get it working over a
firewall. IMO, if anybody thinks of writing a service that uses RPC,
he/she should think again. And again, until he/she drops the idea, and
decides not to use RPC.
Anyhow, since NFS does use RPC, and we are kind of stuck with it for
now... Try and make sure that in all of your configuration files all
NFS RPC services are set up to use fixed ports, and make sure all of
them are covered. If you miss single one, you get into trouble. The
other solution is to open all high ports from the client to the server,
and see if that helps. Try using rpcinfo (or wahtever it is called)
utility and see if port mapper assigned any non-standard ports to any of
NFS related RPC services.
Also, put some logging rules into your firewall configuration. That
will help you troubleshoot the problems. When you do it, you'll know
exactly what kind of packets are being dropped by the firewall and why
they are dropped. Then you can either update your firewall
configuration or make changes on NFS/RPC (for example, if you missed to
explicitly force some NFS related RPC service to use fixed port).
There's also RPC helper module for Netfilter. It is part of iptables
package, but not part of the kernel package (in other words, you can't
use it, unless you recompile the kernel, and than you need to know
exactly what patch level of the module was in iptables package to patch
the kernel with the same patch level of the module, or you need to
repatch/recompile both iptables and the kernel). Adding Netfilter
patches to your kernel can be a real bitch too for unexperienced users.
Wish there was an easier way of doing it (as in here's the userland
module, here's the kernel module, just compile these too, but there
isn't). I've attempted to try it out once long time ago, but it wasn't
working all that great for me. Hopefully it will mature one day and
will be included into the kernel.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the CentOS
mailing list