> > jeez, guys, it was only up for about 5 minutes -- I'm not THAT stupid (though > > I can be pretty dumb if left to my own devices) > Sometimes that's all it takes.
ok, point taken. > > rpcinfo uses portmap. portmap is a daemon to help handle a bunch of rpc > (remote procedure calls) in glibc. got it, thanks. > set up. Also, portmap will expose your mount and umount commands in the > clear over the internet-- this may or may not be an issue. People can > learn that you have an nfs server at work and may try to attack it. > Assuming your /etc/exports, /etc/hosts.allow, /etc/hosts.deny, sshd and > firewall rules are all set up properly, this won't be an issue. This is a > lot to take into consideration though-- which is one reason why NFS is > notorious for its security. It can be made quite secure, but getting it > there takes patience and a lot of attention to detail. hmm. how would you recomend that hosts.allow and hosts.deny be set up? And the firewall -- do I mostly wantto let through only web traffic, mail traffic, and ssh? > > The home router isn't a problem-- this is why nfs over ssh is a nice > alternative to IPsec or afs-- ssh works fine with NAT. ... as I now understand, because finally, my setup is WORKING!!! thanks Jamie! > First off, is 128.100.34.9 the server's ip address that ssh is listening > on? In other words, it needs to be the *actual* ip address of the > server (eg, what use ssh to), not the company gateway machine or > similar. Often this is a non-routable address like 192.168.x.x or > 10.x.x.x. Because you listed a routable address, I just wanted to make > sure you were using the right one. in fact it is a routable address. What would I have to do if it wren|t a routable address? I ask because it might (possibly) be convnient for me to do the nfs mount in the other direction too, and my home computer is (as I said) behind a router. > > > 2) edit nfs init script > > ...er... that didn't go so well! it was easy to get nfs to > > > Don't bother with this at first. Just get ssh and nfs working. > Basically, you can selectively kill any ssh pids that are dealing with > your nfs connection, but not have to kill the whole sshd server each > time-- that was in the article only as a convenience. NFS *must* be > started before ssh, and nfs-user-server sometimes gets confused when > things aren't quite right. Try this after a failed mount attempt: > > kill <pids of ssh that are used with nfs (see with 'ps auxww')> > /etc/init.d/nfs-user-server stop > /etc/init.d/nfs-common stop > /etc/init.d/portmap stop > /etc/init.d/portmap start > /etc/init.d/nfs-common start > /etc/init.d/nfs-user-server start hmmm... cwould it also make sense to edit the scripts in rcX.d so that the Sxxnfs-user-server scripts have lower numbers than the Syysshd scripts? > > Restarting the nfs server in this way makes sure you have a clean slate. > This should be all you need to do-- and you shouldn't have to resort to > remotely restarting ssh. good, since I find the latter frightening > > 3. setup iptables (in my case using ipmasq) > > > But this isn't really needed in your situation because you said > you already have ssh connectivity to your server from home. This is > *all* that is required. If you couldn't ssh to your work machine, then > that would be different. You should be able to get away with not > allowing in portmap, if you specify all the options needed to mount (in > other words, mount doesn't need to query portmap). However, you may > find that allowing your client access to tcp port 111 is easier (in this > case, you will need to figure out a way to update the firewall-- a > script every five minutes would not be bad). > i think I understand that > > For now I just entered my current IP, which works fine. > > > > CLIENT CONFIGURATION > > > > 3. mount the nfs volume... ... this always fails catastrophically. > > In particular, I never seem to be able to open up the requisite ports > What mount command are you specifying? As far as the router, the client > is making direct connections to the server over the ssh port, and the > server is responding, shouldn't need to forward anything. You may find > port forwarding tcp port 111 to your home machine is worthwhile. Your > home machine should have portmap controlled in /etc/hosts.allw|deny and > also with iptables/ipchains to only allow access from the server. I > assume that you have nfs-common and portmap installed and running at > home and have the necessary utilities to mount nfs volumes? the problem was, I think, that I initially didn't have iptables set up right. Now I do, and everything works great! thanks!!! > > Good luck. > > Jamie > > PS-- having said all of this, you might try a VPN solution. I use vtund > and mount nfs volumes from remote laptops without issue. This way you > set up the nfs server in the usual way, have your client VPN into the > network, and you have access. Of course, this may be too much access > from home-- just a thought. VPN looks really neat, and I guess it would make it easier e.g. to export x sessions from one machine to another // wouldn't it? *right now it seems like I can't get the xserver on my work machine to export awindow to a client session on my home machine -- vpn should make that easier, by specifying a local, network IP -- right? but for now, I don't think I have time to set up the VPS -- thanks for your help on this! matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
