HPE Community
Operating System - Linux
1830245 Members
1723 Online
110000 Solutions
New Discussion

Force mount to use UDP??

 
Brian McEntire
Frequent Advisor

‎04-18-2003 12:55 PM

‎04-18-2003 12:55 PM

Force mount to use UDP??

Calling all Linux Guru's! :)

We had a working setup: NFS Linux client mounting from an NFS Linux server.

Then we put a PIX firewall between them. I've opened the correct ports on the PIX (111 and 2049).

For another NFS client (HP-UX) on the same subnet as the Linux NFS client, NFS mounts work.

* This is because HP-UX mount requests _first_ contact portmap (port 111) on the Linux NFS server via UDP. The Cisco PIX is stateful and watches the UDP query and the response from the Linux NFS server and allows the follow-on communications and NFS mount to work.

The Cisco PIX only supports NFS over UDP.

* Linux mount requests to the Linux NFS server use TCP rather than UDP for their initial query to the server's portmapper. These fail because the PIX does not support NFS over TCP and doesn't watch TCP queries to portmap.

** Is there a way to for Linux's mount process to contact portmap using UDP?

FYI, using the -o udp mount option doesn't have any effect because that is for NFS traffic, but this issue is before the NFS connections are made.

Thanks for any help! I've done a good bit of Googling and come up short.
0 Kudos
Reply
8 REPLIES 8
Jean-Pierre Denis
Valued Contributor

‎04-18-2003 02:58 PM

‎04-18-2003 02:58 PM

Re: Force mount to use UDP??

Hi,

I'm wondering if commenting this line in /etc/services:

sunrpc 111/tcp

would force it to use UDP since the tcp one is comment out.

Thanks,
JP
Open your Mind and use Open Source software...
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-18-2003 09:29 PM

‎04-18-2003 09:29 PM

Re: Force mount to use UDP??

Hi,

Edit /etc/fstab of the linux client.

yournfsserver:/nfsdata /nfsdata nfs noauto,ro,hard,intr,bg,udp

Save the file

Now

#mount /nfsdata

regards,

U.SivaKumar

Innovations are made when conventions are broken
0 Kudos
Reply
Brian McEntire
Frequent Advisor

‎04-19-2003 05:51 AM

‎04-19-2003 05:51 AM

Re: Force mount to use UDP??

Thanks for the suggestion! Unfortunately, that won't the problem for this scenario.
The udp mount option only specifices the NFS should run over UDP. It doesn't force the initial query to the NFS server's portmapper to use UDP... that's what I really need to find out how to do.
0 Kudos
Reply
Bill Douglass
Esteemed Contributor

‎04-19-2003 08:20 AM

‎04-19-2003 08:20 AM

Re: Force mount to use UDP??

Can you modify the PIX to allow TCP from the Linux client to port 111 on the NFS server? This would not be any less secure than allowing NFS traffic through.
0 Kudos
Reply
Sorrel G. Jakins
Valued Contributor

‎04-20-2003 05:15 AM

‎04-20-2003 05:15 AM

Re: Force mount to use UDP??

What about JP's suggestion (repeated in full here in case you missed it)? Did you try it?
April 18, 2003 22:58 PM GMT [ unassigned ]

======paste=====
Hi,

I'm wondering if commenting this line in /etc/services:

sunrpc 111/tcp

would force it to use UDP since the tcp one is comment out.

Thanks,
JP
0 Kudos
Reply
Brian McEntire
Frequent Advisor

‎04-21-2003 07:01 AM

‎04-21-2003 07:01 AM

Re: Force mount to use UDP??

JP,
Editing /etc/services was a good idea. Unfortunately, it didn't have the desired affect. :(

I was capturing packets on both LANs and even with 111/tcp commented out of /etc/services, when I issue the mount command on the Linux NFS client, it attempts to contact the Linux NFS server on port 111 with tcp packets. These don't get through the PIX.

I wonder if it is Linux's TCP stack or the mount command which causes this tcp-only behavior I had hoped that at least linux would try UDP after failing to establish a TCP connection to portmapper, but it doesn't even try (according to packet traces on my net.) It really seems like linux is alone here, other UNIX's use UDP rather than TCP to contact portmap on the NFS server.

Do you have any other ideas for forcing the Linux NFS client to contact the NFS server's portmapper using udp packets?

Thanks!
0 Kudos
Reply
Brian McEntire
Frequent Advisor

‎04-21-2003 07:12 AM

‎04-21-2003 07:12 AM

Re: Force mount to use UDP??

Bill,
I can allow 111/tcp through the PIX. The problem is, the PIX is dynamic and stateful, and the PIX is only aware/able to properly support NFS over UDP.

So, while my HP-UX NFS client can set up a successful NFS connection to my NFS server with a single rule in the firewall:

access-list 101 permit udp host host eq sunrpc

My Linux NFS cannot currently set up the NFS mount with any less than FOUR firewall rules:

access-list 101 permit udp host host eq sunrpc
access-list 101 permit tcp host host eq sunrpc
access-list 101 permit udp host host eq 2049
access-list 101 permit udp host host eq 32771

If 4 rules were enough to do it right, I might be willing to accept 3 more rules for the Linux client compared to the HP-UX client. HOWEVER, the Linux rules only work no if rpc.mountd on the NFS server always runs on port 32771 and nfsd always runs on the server on port 2049. So technically, I also need to add -p parameters to mountd and possibly nfsd in the NFS server's startup scripts AND I need to add additional parameters to the fstab file on the Linus NFS client system:

port=2049,mountport=32771

All of this adds a lot of complexity to the configuration and is totally unnecessary IF I could find a way to force the Linux NFS client to use UDP when contacting the portmapper on the NFS server.

The problem boils down to the PIX's UDP-only support for NFS and LINUX's TCP-only connection method for the initial connection to the NFS server's portmapper.
0 Kudos
Reply
benoit Bruckert
Honored Contributor

‎04-23-2003 04:49 AM

‎04-23-2003 04:49 AM

Re: Force mount to use UDP??

Hi,
I'm using HP-UX client (nfs), HP-UX server (nfs) and a pix firewall between them (6.2(2)).
And I'm using tcp (I forced it on the client side) .
Yes it's not a linux client, but it works !
But to be complete, the nfs server is in an area where the nfs client can access without restrictions.
I tried with udp, but I had some trouble for the coming back of the datas. With tcp it works like a charm.
I didn't try to reduce the entrance to the nfs server area. Then I cannot tell you what ports are used to established the connections...

This post is just there to explain that pix can handle nfs over tcp...

hth
Benoit
__________
"Les femmes ont plus de honte de confesser une chose d'amour que de la faire." Marguerite De Navarre
Une application mal pansée aboutit à une usine à gaze (GHG)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.