HPE Community
Operating System - HP-UX
1834052 Members
2635 Online
110063 Solutions
New Discussion

NFS via Firewall

 
SOLVED
Go to solution
Scott Hanson_1
Frequent Advisor

‎07-24-2002 05:17 AM

‎07-24-2002 05:17 AM

NFS via Firewall

We have had problems getting remsh, ssh or ftp to work through a Cisco firewall. The stem of the problem is that all three of the above use a random port number for the return data.

Does anyone know if NFS uses any random port numbers? Could it be used through a Cisco router running firewall software?

TIA
0 Kudos
Reply
6 REPLIES 6
harry d brown jr
Honored Contributor

‎07-24-2002 05:25 AM

‎07-24-2002 05:25 AM

Re: NFS via Firewall

Scott,

One way to solve this, is to use Cisco's Virtual Tunneling product. This gives the user a secure tunnel to your network, where all ports can be "opened" if you wish. Check with your cisco dealer. Personally I use it at home to connect into our corporate network (via cable modem) which gives me access to everything I have at my office at work.

live free or die
harry
Live Free or Die
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎07-24-2002 06:05 AM

‎07-24-2002 06:05 AM

Re: NFS via Firewall

Hi,
I'm using it trough a pix firewall (which is also Cisco product),
But remsh should work also (it's easier than nfs which is udp).
And by default the initiator of the tcp connection is sending the port number to the recipient. The firewall should accept the return data.
Did you specify somewhere in your firewall config something to block returned port ?
The trouble is more an access list config question than anything else.
Did you try to post something to Cisco ? See access list config on www.cisco.com...

It's not a clear answer, but I hope it will help
regards
Benoit

Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-25-2002 12:01 AM

‎07-25-2002 12:01 AM

Solution

Re: NFS via Firewall

Hi,

For REMSH, you will need to open up a range of high ports unfortunately. I don't recall any firewall that has the ability to keep state for REMSH.

For SSH, I am surprised that you are getting this problem because SSH uses a single high source port (>1023) and default port 22 for the destination port and sticks to the same ports until the SSH session is over. In other words, you do not need a stateful firewall for SSH to work.

For FTP, if you are using a stateful firewall such as Checkpoint FW-1 (which terms its stateful functionality as stateful inspection), the firewall will automatically open up the high port for the return data and close it when the FTP session is over.

For NFS, you need to open up the ports TCP/111 and UDP/111 for the portmapper (also sometimes known as rpcbind in some OSes and versions). NFS uses TCP/2049 and UDP/2049 for its nfsd daemon.

In short, under normal circumstances, you only need to open up TCP/111, UDP/111, TCP/2049, UDP/2049 inbound.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-25-2002 12:25 AM

‎07-25-2002 12:25 AM

Re: NFS via Firewall

Hi,

>> For FTP, if you are using a stateful firewall such as Checkpoint FW-1 (which terms its stateful functionality as stateful inspection), the firewall will automatically open up the high port for the return data and close it when the FTP session is over.

I forgot to mention that Cisco PIX is stateful too. Some firewalls however only works with active FTP whereas others can work with both passive and active FTP.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Scott Hanson_1
Frequent Advisor

‎07-25-2002 05:13 AM

‎07-25-2002 05:13 AM

Re: NFS via Firewall

Thanks for your help.

We are using a Cisco router with the IP/FW Pack. I don't know if this is a statefull firewall or not. I don't think I can use VPN as the servers either side of the firewall which need to talk to each other are HP9000's.

Anyone know the access list definitions to get this working?
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎07-26-2002 01:02 AM

‎07-26-2002 01:02 AM

Re: NFS via Firewall

Hi,

If you are referring to the Cisco firewall feature set, then yes, it supports stateful filtering (to be precise, up to stateful inspection).

Static filtering:
- Cisco standard ACLs
- Cisco extended ACLs

Stateful filtering:
- Cisco reflexive ACLs

Stateful inspection
- Cisco firewall feature set
- Cisco PIX

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.