You are not logged in.
I'd quite like to get nfs working as I've had no luck as yet getting samba performance up to par with it. However every time I start nfs-server it listens on two random tcp ports despite what I have in my config files and this is not helpful when trying to allow it in my iptables rules. Here are my config files, I hope you can help:
/etc/conf.d/nfs-common.conf
# Parameters to be passed to nfs-common (nfs clients & server) init script.
#
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options to pass to rpc.statd.
# See rpc.statd(8) for more details.
# N.B. statd normally runs on both client and server, and run-time
# options should be specified accordingly. Specifically, the Arch
# NFS init scripts require the --no-notify flag on the server,
# but not on the client e.g.
STATD_OPTS="--no-notify -p 32765 -o 32766"
# STATD_OPTS="-p 32765 -o 32766" -> client
# STATD_OPTS=
# Options to pass to sm-notify
SMNOTIFY_OPTS="-p 32764"
#SMNOTIFY_OPTS=""
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=no
# Options to pass to rpc.idmapd.
# See rpc.idmapd(8) for more details.
IDMAPD_OPTS=
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=no
# Options to pass to rpc.gssd.
# See rpc.gssd(8) for more details.
GSSD_OPTS=
# Where to mount rpc_pipefs filesystem; the default is "/var/lib/nfs/rpc_pipefs".
PIPEFS_MOUNTPOINT=
# Options used to mount rpc_pipefs filesystem; the default is "defaults".
PIPEFS_MOUNTOPTS=/etc/conf.d/nfs-server.conf
# Parameters to be passed to nfs-server init script.
#
# Options to pass to rpc.nfsd.
# See rpc.nfsd(8) for more details.
NFSD_OPTS=1
# Number of servers to start up; the default is 8 servers.
NFSD_COUNT=
# Where to mount nfsd filesystem; the default is "/proc/fs/nfsd".
PROCNFSD_MOUNTPOINT=
# Options used to mount nfsd filesystem; the default is "rw,nodev,noexec,nosuid".
PROCNFSD_MOUNTOPTS=
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option.
# See rpc.mountd(8) for more details.
MOUNTD_OPTS="--no-nfs-version 1 --no-nfs-version 2 -p 32767"
# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=
# Options to pass to rpc.svcgssd.
# See rpc.svcgssd(8) for more details.
SVCGSSD_OPTS=edit:
Here are my firewall rules:
# Flush old policies and rules.
# Get iptables cleaned and ready for new rules.
#
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
#
# First thing, drop illegal packets.
#
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # New not SYN
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # XMAS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
#
# Accept some remote connections.
# This is what the system exposes to the public.
# This is what everyone outside the system can see.
#
# SSH
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
# DNS and DHCP
iptables -A INPUT -p udp -i eth0 --dport 67 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
# NFS
iptables -A INPUT -p tcp --dport 32767 -j ACCEPT
iptables -A INPUT -p tcp --dport 32765:32766 -j ACCEPT
iptables -A INPUT -p tcp --dport 32764 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT #portmap
iptables -A INPUT -p udp --dport 111 -j ACCEPT #portmap
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp --dport 2049 -j ACCEPT
#
# Accept limited ping (ICMP).
# Allow valid, slow pings. Ping is useful, but it can be abused.
# Note that this will cause ping packet loss if the ICMP packets
# come in faster than 10 per second, so using "ping -f" to test
# connection reliability will give false bad readings.
# This is put after most other rules because ICMP is a low priority.
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p icmp -j DROP
#
# Match related and established state connections. This allows localhost
# initiated inbound connections such as those from ftp to work properly.
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# Forward packets from the other card to eth0
#
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
#
# These default policies handle anything not covered by a prior rule.
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPTedit: I've now got really insecure iptables rules (allowing everything by default) to get this working. If someone has a working nfs + iptables setup please paste your config files.
Last edited by rocktorrentz (2009-07-06 14:50:19)
Offline