[CentOS] losing NFS connection

Mon Apr 25 14:46:05 UTC 2005
Aleksandar Milivojevic <amilivojevic at pbl.ca>

Angelo Machils wrote:
> Hello there!
> Perhaps this is a little off-topic, but I notice this only on the Centos 
> box.
> I'm running Centos 4 on an AMD64 which has the following entries in the 
> fstab to connect to NFS shares on a Fedora3 box:

> I have opened ports 111 (TCP), 648 (TCP), 651 (TCP) and 2049 (TCP and 
> UDP) in iptables on the FC3 box and I can connect to them, but after a 
> while I seem to loose the connection to the shares.

NFS uses RPC, and RPC can be a real bitch to get it working over a 
firewall.  IMO, if anybody thinks of writing a service that uses RPC, 
he/she should think again.  And again, until he/she drops the idea, and 
decides not to use RPC.

Anyhow, since NFS does use RPC, and we are kind of stuck with it for 
now...  Try and make sure that in all of your configuration files all 
NFS RPC services are set up to use fixed ports, and make sure all of 
them are covered.  If you miss single one, you get into trouble.  The 
other solution is to open all high ports from the client to the server, 
and see if that helps.  Try using rpcinfo (or wahtever it is called) 
utility and see if port mapper assigned any non-standard ports to any of 
NFS related RPC services.

Also, put some logging rules into your firewall configuration.  That 
will help you troubleshoot the problems.  When you do it, you'll know 
exactly what kind of packets are being dropped by the firewall and why 
they are dropped.  Then you can either update your firewall 
configuration or make changes on NFS/RPC (for example, if you missed to 
explicitly force some NFS related RPC service to use fixed port).

There's also RPC helper module for Netfilter.  It is part of iptables 
package, but not part of the kernel package (in other words, you can't 
use it, unless you recompile the kernel, and than you need to know 
exactly what patch level of the module was in iptables package to patch 
the kernel with the same patch level of the module, or you need to 
repatch/recompile both iptables and the kernel).  Adding Netfilter 
patches to your kernel can be a real bitch too for unexperienced users. 
  Wish there was an easier way of doing it (as in here's the userland 
module, here's the kernel module, just compile these too, but there 
isn't).  I've attempted to try it out once long time ago, but it wasn't 
working all that great for me.  Hopefully it will mature one day and 
will be included into the kernel.

Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7