HPE Community
Operating System - HP-UX
1846977 Members
4259 Online
110257 Solutions
New Discussion

Re: Problem with nfs through firewall

 
R.O.
Esteemed Contributor

‎06-20-2003 03:10 AM

‎06-20-2003 03:10 AM

Problem with nfs through firewall

Hi all,

I have some vlans and I try to export a directory from a system in a vlan to the systems belonging to the other vlans. I have the ports 2049 (TCP & UDP) and 111 (TCP & UDP) opened in the firewall, but when I try to mount the exported directory I have this:

mount: RPC: Timed out (if the client is a Linux)
nfs mount: get_fh: xxx.xxx.xxx.xxx:: RPC: Timed out (if the client is HPUX; the server is HPUX)

I can nfs mount in other systems from the same vlan.
Does somebody knows where the problem is?

Regards,

R.O.
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
10 REPLIES 10
K.Vijayaragavan.
Respected Contributor

‎06-20-2003 03:31 AM

‎06-20-2003 03:31 AM

Re: Problem with nfs through firewall

Do
rpcinfo -p

to see what all services reachable to your system from the remote host.

Refer
http://docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/B1031-90043/B1031-90043_top.html&con=/hpux/onlinedocs/B1031-90043/00/00/32-con.html&toc=/hpux/onlinedocs/B1031-90043/00/00/32-toc.html&searchterms=rpcinfo&queryid=20030620-053047
"Let us fine tune our knowledge together"
0 Kudos
Reply
R.O.
Esteemed Contributor

‎06-20-2003 04:05 AM

‎06-20-2003 04:05 AM

Re: Problem with nfs through firewall

Hi,

From client to server:

client# rpcinfo -p server

program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 49356 mountd
100005 3 udp 49356 mountd
100005 1 tcp 60859 mountd
100005 3 tcp 60859 mountd
100003 2 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 tcp 2049 nfs
100003 3 udp 2049 nfs
1342177279 4 tcp 51556
1342177279 1 tcp 51556
1342177279 3 tcp 51556
1342177279 2 tcp 51556

From server to client:

server:/#rpcinfo -p client
rpcinfo: can't contact portmapper: RPC: Rpcbind failure - RPC: Failed (unspecified error)

This is what I see...
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
Chris Vail
Honored Contributor

‎06-20-2003 06:04 AM

‎06-20-2003 06:04 AM

Re: Problem with nfs through firewall

You'll need to run rpcinfo -p HOSTNAME, where the hostname is your linux client outside the firewall. You will probably have to run it (or its Linux equivalent) on the linux box. When it lists out the ports that it is using, you'll have to modify your firewall to pass all those ports.

NFS is not a very secure facility for this reason. Its a good one, but really the industry needs to develop a Secure NFS.


Chris
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎06-22-2003 06:09 PM

‎06-22-2003 06:09 PM

Re: Problem with nfs through firewall

For NFS to work through a firewall, you should have port 111, both tcp and udp, and tcp or udp 2049, depending on which protocol your using.

You may need to stop and restart your nfs server daemons.
0 Kudos
Reply
R.O.
Esteemed Contributor

‎06-23-2003 02:08 AM

‎06-23-2003 02:08 AM

Re: Problem with nfs through firewall

Hello,

I have seen that I need to open in the firewall the port for rpc.mountd. This daemon uses differents ports everytime it is restarted. So the question is ??Is there any way to force mountd to listen in the same port in the nfs server forever?
I tryed with -p option, but it does not work for this case.

Regards
"When you look into an abyss, the abyss also looks into you"
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎06-23-2003 11:03 AM

‎06-23-2003 11:03 AM

Re: Problem with nfs through firewall

NFS does not always use the same port numbers, so you need to change the firewall a bit. What you need to do, is allow all traffic from NFS_HOST to NFS_CLIENT. There is no way around this, and it is very insecure.

Your next option is to ensure that NFS is handled in each LAN separately.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎06-23-2003 01:15 PM

‎06-23-2003 01:15 PM

Re: Problem with nfs through firewall

Not 100% sure on HP, but on solaris, mountd is not required to be open to clients. Mountd responds to request made from the LOCAL nfsd, and determines if the permissions are OK for the client to mount the filesystem. It has no interaction with the client, except through nfsd. If nfsd, 2049 is open all should be OK.
0 Kudos
Reply
Chris Vail
Honored Contributor

‎06-23-2003 01:17 PM

‎06-23-2003 01:17 PM

Re: Problem with nfs through firewall

As Shannon (and I) mentioned, NFS really isn't terribly secure. It is, however, very convenient. You really can't push it through a firewall very easily at all. And if you do, it won't be very secure.

But there's more than one way to do this. Consider creating a private, back-to-back LAN from one server to another directly through the appropriate cable. Then mount the NFS volume either read only, or write only--depending on your need. This is a LOT more secure, but not as much as it might be.

An expensive solution (that we use here) is to use EMC's Celerra product. This is a NFS to fiber gateway, with access both inside and outside the firewall. We use the BCV (Business Continuance Volume) process to mirror data outside the firewall. Once that is done, we logically attach the filesystem to a host inside the firewall, where it goes through virus scanning. Finally, we attach it (again logically) to a 4th host (also inside the firewall) where the data files are acted on by the software. If this sounds complicated and expensive, you're right. Its also REALLY secure, as never does a user from outside the company ever see the systems behind the firewall. But it moves data quite efficiently between environments.

EMC is discontinuing the Celerra, so you can pick one of these up cheap (still over $100kUSD, however). At least go to EMC's website and check it out. They're pretty desperate for sales these days, so you may be able to strike a bargain.


Chris
0 Kudos
Reply
Suresh Patoria
Super Advisor

‎06-27-2003 03:49 AM

‎06-27-2003 03:49 AM

Re: Problem with nfs through firewall

Hi,

Try the following step

1.)You able to ping remote server

2.) You able to reach the remote service through the rpcinfo -p

3.) On server and client end the run the command rpcbind -w


0 Kudos
Reply
Suresh Patoria
Super Advisor

‎06-27-2003 03:50 AM

‎06-27-2003 03:50 AM

Re: Problem with nfs through firewall

Hi,

Try the following step

1.)You able to ping remote server

2.) You able to reach the remote service through the rpcinfo -p

3.) On server and client end the run the command rpcbind -w

4.) check the remote hosts entry in the /etc/hosts file

5.) check the nfsd daemon enable in /etc/rc.config.d/nfsconf file

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.