HPE Community
Operating System - HP-UX
1826217 Members
3127 Online
109691 Solutions
New Discussion

NFS between aix an hp trough firewall

 
Joost van Gelder_1
New Member

‎08-31-2003 08:51 AM

‎08-31-2003 08:51 AM

NFS between aix an hp trough firewall

Hi guys,

Oke, here's my problem. I want to have nfs enabled between an aix and hp box. The problem is that the aix box is in a dmz and behind a firewall.
The following ports (both udp and tcp) are opened on the firewall

machine port destination port

hp gt 1024 aix 111
hp gt 1024 aix 1024
aix 111 hp 1024
aix gt 1024 hp 1024

I changed the mount daemon on the aix boxso that it is listening on port 8999. I used nettl to trace all inbound and outbound network traffic and to my suprise I see that a call from a random port < 1024 is being made from the hp to the aix box. I guess this is the rpc.mountd trying to mount the remote filesystem, but I find it strange that it is using a 'reserved' port and not a port > 1024 and that it is also using a random port.

My questions are:

- Is it possible to configure nfs through a firewall?
- Is it possible to let the hp mount daemons run on a static port?
- Is there a product available to tunnel nfs trough a firewall?

Points will be assigned accordingly.

Cheers

Joost
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎08-31-2003 09:27 AM

‎08-31-2003 09:27 AM

Re: NFS between aix an hp trough firewall

This can be done. The Ports need to be open.

I believe the answer to your first and third question is yes.

Here is some reading to help.
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B1031-90051/B1031-90051_top.html&con=/hpux/onlinedocs/B1031-90051/00/00/6-con.html&toc=/hpux/onlinedocs/B1031-90051/00/00/6-toc.html&searchterms=configuration%7cNFS&queryid=20030831-112621

Should it be done? Undertstand that NFS is going to transmit disk information through that firewall unencrypted.

That being said, you will need to change /etc/services to use the port assignment you want to use.

It might be somewhat more secure to use Samba(CIFS/9000) on the HP side.

Free Client
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8724AA

Free server side.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B8725AA

http://www.samba.org for the aix side.

Configuration of samba is pretty simple.
server
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B8725-90016/B8725-90016_top.html&con=/hpux/onlinedocs/B8725-90016/00/00/11-con.html&toc=/hpux/onlinedocs/B8725-90016/00/00/11-toc.html&searchterms=configuration%7cCIFS/9000&queryid=20030831-112324

client
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B8724-90011/B8724-90011_top.html&con=/hpux/onlinedocs/B8724-90011/00/00/10-con.html&toc=/hpux/onlinedocs/B8724-90011/00/00/10-toc.html&searchterms=configuration%7cCIFS/9000&queryid=20030831-112324

I just thing you should have some options.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Joost van Gelder_1
New Member

‎08-31-2003 10:33 AM

‎08-31-2003 10:33 AM

Re: NFS between aix an hp trough firewall

SEP,

Thanx for your swift reply. I'am still stuck with my second question: Is it possible to let the hp mount daemons run on a static port?

To implement a product to tunnel nfs is my last resort. Implementing this would take around 6 months.

Anymore good suggestions are welcome

Thanks,

Joost
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎08-31-2003 12:45 PM

‎08-31-2003 12:45 PM

Re: NFS between aix an hp trough firewall

spaar jou geld.

I read an article about nfsv4 being able to to that what you would like to do in a Linux mag. I am not sure if there is a port for HPUX out.

http://www.nfsv4.org

nfsv4 is the answer to all our problems.

will keep you posted if I find any more info.'


geluk
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
Donny Jekels
Respected Contributor

‎08-31-2003 01:29 PM

‎08-31-2003 01:29 PM

Re: NFS between aix an hp trough firewall

Specifying TCP or UDP Connections

Using the mount command from the client with no protocol parameters, the behavior will be first to try to establish a TCP connection with the server. If that fails, then it will try to establish a UDP connection with the server.

You can tell NFS to establish ONLY a TCP connection using the following command:

mount -o proto=tcp

If TCP is not available on the server, the mount fails.You can tell NFS to establish ONLY a UDP connection using the following command:

mount -o proto=udp

If UDP is not available on the server, the mount fails.

NFS Server TCP Connections

On the NFS server, to ensure a request for a TCP connection will be successful, the service must be advertised in the /etc/services name database file. This database advertises the availability of TCP on the server through port 2049. The entry appears in the /etc/services name database file. There is also an entry for UDP. They are as follows:

nfsd 2049/tcp #NFS remote file system
nfsd 2049/udp #NFS remote file system
"Vision, is the art of seeing the invisible"
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎09-01-2003 08:27 AM

‎09-01-2003 08:27 AM

Re: NFS between aix an hp trough firewall

Hi,
I'm running nfs through firewall, so it's possible (between hp-ux and hp-ux but i tried through 2 different firewalls !)
What I did to be more secure is just make it works on tcp (no udp), and configure the firewall to allow connected and related connection.
For some firewalls, udp can works also, it depends if the rules to follow udp nfs requests exists on your firewall.
But if AIX can support nfs tcp (I don't know about it), then it's easier and with any firewall it can works.
hth
Benoit
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.