topic Re: NFS across firewall in Operating System - HP-UX

NFS across firewall

Gary Yu — Mon, 25 Oct 2004 09:02:47 GMT

Hi all,

We have a NFS client server in the DMZ, and will access the NFS server in the local network through firewall, both servers are running HPUX11.0. we have opened port 111 and 2049 (udp and tcp)on firewall for rpcbind and nfsd , but it seemed that there's still a random UDP port on NFS server is needed for "rpc.mount". i.e output from lsof shows:
rpc.mount 1137 root 3u inet 72,0x73 0t0 UDP *:49236 (Idle)

the problem is, since this udp port is randomly allocated, it's hard to set firewall rules to let it pass. Anyone there also got similar problems? Thank you for sharing your experience.

Gary

Re: NFS across firewall

Gary Yu — Mon, 25 Oct 2004 09:31:38 GMT

After I did some search on the forum, it seemed it's mission impossible :(
so don't bother, thanks guys...
Gary

Re: NFS across firewall

Steven E. Protter — Mon, 25 Oct 2004 09:40:51 GMT

The problem is that with NFS v3 there is a random port in the 10,000 range that needs to be open. I believe NFS v4 provides a methodology for getting around this.

SEP

Re: NFS across firewall

Gary Yu — Mon, 25 Oct 2004 09:50:46 GMT

Thanks Steven, is it easy to upgrate NFS to v4.0? I don't have such document on hand...

thanks,
Gary

Re: NFS across firewall

Geoff Wild — Mon, 25 Oct 2004 10:03:53 GMT

Have a look at running NFS over TCP only:

http://www.interex.org/pubcontent/enterprise/sep00/14mcneal.html

-o proto=tcp

Rgds...Geoff

Re: NFS across firewall

Gary Yu — Mon, 25 Oct 2004 10:39:30 GMT

thanks guys,
one more questions regarding this issue,
does the rpc.mountd only active(or being used) while do the initial mount? I mean, I found that after I opened the 49xxx port for rpc.mountd, and mount the nfs file system, I then closed that port on firewall, but I still can read/write the NFS file system on clients without any problem.
so the question is, after the initial mount, is it possible to close the port on firewall?

thanks,
Gary

Re: NFS across firewall

RAC_1 — Mon, 25 Oct 2004 10:52:11 GMT

NFS through particular port was not possible till sometime back. With new version, it is possible. There was a mention about this from Dave Olker. Search the forum for his posts and you will get it. The one thing that I do not remember is "Is that available for 11.0"

I am sure that it is there for 11.23.

With new NFS, is was posiible to do forcefull unmount of NFS mount and running it over a particular port.

Anil

Re: NFS across firewall

Andrew Cowan — Tue, 26 Oct 2004 06:47:06 GMT

Hi Gary,

I answered another very similar enquirey today, and the only solution that I am aware of is to use IP-Sec to tunnel NFS through. This will be totally transparent to all applications once setup, and will allow you to route other traffic over the link without having to modify your firewall configuration.