Results 1 to 7 of 7

Thread: FIrewall setup question - OSE 11.2

  1. #1

    Default FIrewall setup question - OSE 11.2

    I have a small home-office network. On that network I have two linux computers, one is a client the other a server.

    On the server I have NFS Server setup and mount some NFS exports on the client computer.

    On the server I have the firewall on and here it becomes a little tricky.

    Since both the server and the client connect to the router the interface (eth1) is theoretically both an internal & external zone.

    The router is commercial grade and therefore has a good firewall on it which is also setup. Therefore the firewall on the server is really more of a backup than a necessity. But that's fine, and by having the server's firewall on 'fail2ban' is able to work which I like to have working so I don't want to just turn off the server firewall even though I have good security from the router.

    However, when I turn on the server's firewall, the client computer cannot see the NFS server when scanning for server -- done by: clicking on "Choose" next to "NFS Server Hostname" when adding an NFS share in the NFS Client in YaST. Clearly something is being blocked even though I have both "NFS Client" and "NFS Server Service" allowed in the server firewall. The Firewall config. files for these are below.

    The Firewall configuration is pretty much "out of the box". That is I have the services I need opened up for the external zone, the other zones are left at their default which means the internal zone, although not used (i.e.: attached to any interface), is completely open.

    The perfect solution I guess would be to setup my client computer to connect through a different NIC (perhaps eth0), make that the "Internal Zone" and therefore allow all traffic through to it while still blocking the server from the external zone. However, I cannot make that physical change to my network for now so I am looking for an in between (non-perfect) solution.

    In this case I am guessing that means opening up extra NFS ports to the external zone so I have full NFS functionality. I don't mind this because like I said, the router firewall is the main line of defense anyway.

    So, given all of the above could someone tell me what I would need to additionally open up in the server firewall to make the NFS server detection work on the client while the firewall was on. Or, if you have a cleverer/better solution without me changing my physical network that would be great.

    Hopefully I have written this in enough detail and clearly enough so that all the parameters are clear but if not, feel free to ask me what you like and I'll try to make it clear.

    Code:
    ## Description: Firewall Configuration for NFS kernel server.
    #                                                                     
    # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
    # More may be supported in the future.
    #                                                                     
    # For a more detailed description of the individual variables see
    # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2  
    #     
    
    ## Name: NFS Server Service
    ## Description: Opens ports for NFS to allow other hosts to connect.
    
    # space separated list of allowed TCP ports
    TCP=""
    
    # space separated list of allowed UDP ports
    UDP=""
    
    # space separated list of allowed RPC services
    RPC="portmap status nlockmgr mountd nfs nfs_acl"
    
    # space separated list of allowed IP protocols
    IP=""
    
    # space separated list of allowed UDP broadcast ports
    BROADCAST=""
    Code:
    ## Description: Firewall Configuration for NFS client.
    #
    # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
    # More may be supported in the future.
    #                
    # For a more detailed description of the individual variables see
    # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
    #                
    
    ## Name: NFS
    Client   
    ## Description: Opens ports for NFS client to allow connection to an NFS server.
    
    # space separated list of allowed TCP ports
    TCP=""
    
    # space separated list of allowed UDP ports
    UDP=""
    
    # space separated list of allowed RPC services
    RPC="portmap status nlockmgr"
    
    # space separated list of allowed IP protocols
    IP=""
    
    # space separated list of allowed UDP broadcast ports
    BROADCAST=""

  2. #2

    Default Re: FIrewall setup question - OSE 11.2

    Now it's gotten a little weird!

    I couldn't "port scan" the server from the client using "port scan" on the networking tools so through further looking I found where I could set custom rules in the firewall and set: "allow rules" as follows:

    Code:
    Source Network   Protocol   Dest. Port   Src. Port
    192.168.1.111         TCP      1:65535     1:65535
    192.168.1.111         UDP      1:65535     1:65535
    192.168.1.111         RPC      1:65535     1:65535
    Effectively making the firewall transparent to my client computer only -- a very good solution. Then I retried the port scan from my client computer and sure enough it could scan and see the open ports on the server now.

    However, the NFS client still cannot see the NFS server when scanning for them unless I turn the firewall off. I thought I opened up every protocol and every port there is on my server's firewall for my client computer so what's left?

  3. #3

    Default Re: FIrewall setup question - OSE 11.2

    I'm not sure what it all means but below should probably tell the story for someone who knows Linux networking better than me. I did "netstat -anp" on the client computer into three files where:

    dump1 - was without NFS client running
    dump2 - was with NFS client trying to locate NFS servers while the server firewall was on (failed)
    dump3 - was with NFS client trying to locate NFS servers while the server firewall was off (succeeded)

    You can see the difference between 1 & 2, and between 2 & 3 below:

    Code:
    quark: # netstat -anp >>dump1
    quark: # netstat -anp >>dump2
    quark: # diff dump1 dump2
    quark: # diff -y --suppress-common-lines dump1 dump2
    							      >	udp        0      0 0.0.0.0:37623           0.0.0.0:*        
    							      >	udp        0      0 :::56995                :::*             
    quark: # netstat -anp >>dump3
    quark: # diff -y --suppress-common-lines dump2 dump3
    							      >	tcp        0      0 192.168.17.111:34264    74.125.19.148:80 
    							      >	tcp        0      0 192.168.17.111:58345    74.125.19.113:80 
    							      >	tcp        0      0 192.168.17.111:38383    74.125.19.147:80 
    							      >	tcp        0      0 192.168.17.111:34267    74.125.19.148:80 
    							      >	tcp        0      0 192.168.17.111:37138    173.222.53.166:80
    							      >	tcp        0      0 192.168.17.111:39416    74.125.19.99:80  
    							      >	udp        0      0 0.0.0.0:35015           0.0.0.0:*        
    udp        0      0 0.0.0.0:37623           0.0.0.0:*         <
    udp        0      0 :::56995                :::*              <
    							      >	udp        0      0 :::56037                :::*             
    unix  3      [ ]         STREAM     CONNECTED     1792463 125 |	unix  3      [ ]         STREAM     CONNECTED     1794382 125
    unix  3      [ ]         STREAM     CONNECTED     1792462 324 |	unix  3      [ ]         STREAM     CONNECTED     1794381 325
    unix  3      [ ]         STREAM     CONNECTED     1792369 125 |	unix  3      [ ]         STREAM     CONNECTED     1794290 125
    unix  3      [ ]         STREAM     CONNECTED     1792367 324 |	unix  3      [ ]         STREAM     CONNECTED     1794289 325
    							      >	unix  3      [ ]         STREAM     CONNECTED     1792912 128
    							      >	unix  3      [ ]         STREAM     CONNECTED     1792911 129
    unix  3      [ ]         STREAM     CONNECTED     1787988 128 <
    unix  3      [ ]         STREAM     CONNECTED     1787987 129 <

  4. #4
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,662
    Blog Entries
    14

    Default Re: FIrewall setup question - OSE 11.2

    I use about the same config. What happens if you simply enter the IP of the server, than try to pick an NFS exported folder from the list? Works fine here.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  5. #5

    Default Re: FIrewall setup question - OSE 11.2

    Well, I found the solution which is to go through:

    /etc/sysconfig/SuSEfirewall2

    which is "well commented" and probably has some options that don't show up in the user interface and make intelligent changes. Unfortunately I'm not sure which of my changes fixed this but I will refine my understanding and post the answer once I know -- I changed too many things first time to know which was the solution so I need to backtrack.

  6. #6

    Default Re: FIrewall setup question - OSE 11.2

    Quote Originally Posted by Knurpht View Post
    I use about the same config. What happens if you simply enter the IP of the server, than try to pick an NFS exported folder from the list? Works fine here.
    It probably works but I like things to work fully as they are supposed to. In fact, I think if I put the name of server in for client then it will work but that's a workaround I'm well... trying to workaround (sorry, couldn't resist).

    Anyway, see above as I am almost there. That is I have it working and now just need to refine my understanding.

  7. #7

    Default Re: FIrewall setup question - OSE 11.2

    Setting:

    FW_ALLOW_FW_BROADCAST_EXT="yes"

    was the key.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •