NFS and Firewalls

From: Timothy Arnold (tim@ngfl.gov.uk)
Date: Tue Jan 27 2004 - 06:35:13 EST

• Next message: Ray Pengelly: "SUMMARY: stale nfs mounts"
• Previous message: Tufan Sen (TS): "SMC Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Sunmanagers,

I have an interesting problem with NFS and Cisco PIX firewalls. At the
moment we have sunscreen firewalls and using NFS with Virtual IP
addresses in a VCS cluster. With the PIX it appears to have a few
issues.

the PIX does look at RPC traffic but it appears RPC on the NFS server
replies using its 'real' ip address. Here is the snoop:

#
# Mountd
#
  16 0.00114 claude.ngfl.gov.uk -> william.ngfl.gov.uk PORTMAP C
GETPORT prog=100005 (MOUNT) vers=3 proto=UDP
  17 0.00228 david.ngfl.gov.uk -> claude.ngfl.gov.uk PORTMAP R GETPORT
port=65287
  18 0.00009 claude.ngfl.gov.uk -> william.ngfl.gov.uk MOUNT3 C Null
  19 0.00187 david.ngfl.gov.uk -> claude.ngfl.gov.uk MOUNT3 R Null
  20 0.00030 claude.ngfl.gov.uk -> william.ngfl.gov.uk MOUNT3 C Mount
/cluster/export/live
  21 0.00747 david.ngfl.gov.uk -> claude.ngfl.gov.uk MOUNT3 R Mount OK
FH=B66B Auth=unix
  22 0.00100 claude.ngfl.gov.uk -> william.ngfl.gov.uk PORTMAP C
GETPORT prog=100003 (NFS) vers=3 proto=TCP
  23 0.00168 david.ngfl.gov.uk -> claude.ngfl.gov.uk PORTMAP R GETPORT
port=2049

During the initial mountd/rpc stage the client connects to 'william'
the virtual IP address but the server replies with 'david' - the actual
machine interface. During the TCP nfs stage, it uses the correct ip
addresses.

#
# NFS/TCP Traffic on 2049
#
  24 0.00064 claude.ngfl.gov.uk -> william.ngfl.gov.uk TCP D=2049
S=32830 Syn Seq=2708332574 Len=0 Win=49640 Options=<mss
1460,nop,nop,sackOK>
  25 0.00080 william.ngfl.gov.uk -> claude.ngfl.gov.uk TCP D=32830
S=2049 Syn Ack=2708332575 Seq=2863379963 Len=0 Win=24820
Options=<nop,nop,sackOK,mss 1460>
  26 0.00001 claude.ngfl.gov.uk -> william.ngfl.gov.uk TCP D=2049
S=32830 Ack=2863379964 Seq=2708332575 Len=0 Win=49640
  27 0.00014 claude.ngfl.gov.uk -> william.ngfl.gov.uk NFS C NULL3
  28 0.00052 william.ngfl.gov.uk -> claude.ngfl.gov.uk TCP D=32830
S=2049 Ack=2708332691 Seq=2863379964 Len=0 Win=24704
  29 0.00237 william.ngfl.gov.uk -> claude.ngfl.gov.uk NFS R NULL3

As the server replies on its own interface this confuses the PIX
firewall and doesn't allow the random port from portmapper through. Is
there any way to solve this or what is the recommended way to get it
working through the firewall. Two ideas I have are:

1. Force RPC to reply on virtual interface. Any ideas?

2. Force MOUNTD to use specific port. Again, any ideas?

I would appreciate any assistance.

Thanks
Tim.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Ray Pengelly: "SUMMARY: stale nfs mounts"
• Previous message: Tufan Sen (TS): "SMC Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:27:54 EDT