Package: mount Followup-For: Bug #414160 I have an NFS and firewall rule setup similar to the one documented at http://wiki.debian.org/?SecuringNFS. My nfs filesystem related services are grouped together in a range of fixed ports. This allowed for a simple and stable set of shorewall rules:
ACCEPT fw loc udp 111 ACCEPT fw loc tcp 111 ACCEPT fw loc udp 2049 ACCEPT fw loc udp 32765:32769 I just tried adding a new mount today, and it failed. The local machine and nfs server machine's shorewall rules said that requests for tcp 2049 were being rejected. I get six of these records seconds apart, then a long pause, then six records again. I gave up waiting and forced mount to quit after a few minutes. Jun 14 16:09:33 gecko kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65338 DF PROTO=TCP SPT=718 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 If I change the local shorewall rules to allow tcp 2049, then the nfs server shows a reject on that rule and the client machine moves on, getting blocked locally for tcp requests to port 32767. Jun 14 16:22:17 localhost kernel: Shorewall:all2all:REJECT:IN=eth0 OUT= MAC=00:07:e9:32:11:2f:00:01:02:6c:67:d5:08:00 SRC=192.168.0.1 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=55256 DF PROTO=TCP SPT=708 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 14 16:22:17 gecko kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24445 DF PROTO=TCP SPT=711 DPT=32767 WINDOW=5840 RES=0x00 SYN URGP=0 If I add a shorewall rule to allow the 32765:32769 range via tcp on the local machine, then the nfs server blocks a request for tcp 2049, a request for tcp 32767, and then many requests for tcp 2049. After a bit, the local machine says: mount: vegas.gecko:/var/www/download.geckosoftware.com/html/installers: can't read superblock Jun 14 16:27:15 gecko kernel: nfs: server vegas.gecko not responding, timed out The same thing happens if I then unblock tcp 2049 on the nfs server, or if I put udp into my mount option in /etc/fstab, because it's still trying tcp for 32767 (mountd on my setup.) At the moment I'm fine with using tcp. I think the switch to tcp should be documented and it seems that if I request an nfs rpc connect via udp, the mountd request should also be via udp. I think that if you don't specify udp or tcp for the mount options, if it's going to try tcp, it should then try udp when it fails so that it would fallback gracefully if the server doesn't support tcp. (Maybe it does that, and it's not trying because my rpc is advertising both tcp and udp.) -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-k7 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages mount depends on: ii libblkid 1.39+1.40-WIP-2006.11.14+dfsg-2 block device id library ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libuuid1 1.39+1.40-WIP-2006.11.14+dfsg-2 universally unique id library mount recommends no packages. -- no debconf information -- Jacob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
