FIrewall setup question - OSE 11.2

I have a small home-office network. On that network I have two linux computers, one is a client the other a server.

On the server I have NFS Server setup and mount some NFS exports on the client computer.

On the server I have the firewall on and here it becomes a little tricky.

Since both the server and the client connect to the router the interface (eth1) is theoretically both an internal & external zone.

The router is commercial grade and therefore has a good firewall on it which is also setup. Therefore the firewall on the server is really more of a backup than a necessity. But that’s fine, and by having the server’s firewall on ‘fail2ban’ is able to work which I like to have working so I don’t want to just turn off the server firewall even though I have good security from the router.

However, when I turn on the server’s firewall, the client computer cannot see the NFS server when scanning for server – done by: clicking on “Choose” next to “NFS Server Hostname” when adding an NFS share in the NFS Client in YaST. Clearly something is being blocked even though I have both “NFS Client” and “NFS Server Service” allowed in the server firewall. The Firewall config. files for these are below.

The Firewall configuration is pretty much “out of the box”. That is I have the services I need opened up for the external zone, the other zones are left at their default which means the internal zone, although not used (i.e.: attached to any interface), is completely open.

The perfect solution I guess would be to setup my client computer to connect through a different NIC (perhaps eth0), make that the “Internal Zone” and therefore allow all traffic through to it while still blocking the server from the external zone. However, I cannot make that physical change to my network for now so I am looking for an in between (non-perfect) solution.

In this case I am guessing that means opening up extra NFS ports to the external zone so I have full NFS functionality. I don’t mind this because like I said, the router firewall is the main line of defense anyway.

So, given all of the above could someone tell me what I would need to additionally open up in the server firewall to make the NFS server detection work on the client while the firewall was on. Or, if you have a cleverer/better solution without me changing my physical network that would be great.

Hopefully I have written this in enough detail and clearly enough so that all the parameters are clear but if not, feel free to ask me what you like and I’ll try to make it clear.


## Description: Firewall Configuration for NFS kernel server.
#                                                                     
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#                                                                     
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2  
#     

## Name: NFS Server Service
## Description: Opens ports for NFS to allow other hosts to connect.

# space separated list of allowed TCP ports
TCP=""

# space separated list of allowed UDP ports
UDP=""

# space separated list of allowed RPC services
RPC="portmap status nlockmgr mountd nfs nfs_acl"

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports
BROADCAST=""


## Description: Firewall Configuration for NFS client.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#                
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#                

## Name: NFS
Client   
## Description: Opens ports for NFS client to allow connection to an NFS server.

# space separated list of allowed TCP ports
TCP=""

# space separated list of allowed UDP ports
UDP=""

# space separated list of allowed RPC services
RPC="portmap status nlockmgr"

# space separated list of allowed IP protocols
IP=""

# space separated list of allowed UDP broadcast ports
BROADCAST=""

Now it’s gotten a little weird!

I couldn’t “port scan” the server from the client using “port scan” on the networking tools so through further looking I found where I could set custom rules in the firewall and set: “allow rules” as follows:


Source Network   Protocol   Dest. Port   Src. Port
192.168.1.111         TCP      1:65535     1:65535
192.168.1.111         UDP      1:65535     1:65535
192.168.1.111         RPC      1:65535     1:65535

Effectively making the firewall transparent to my client computer only – a very good solution. Then I retried the port scan from my client computer and sure enough it could scan and see the open ports on the server now.

However, the NFS client still cannot see the NFS server when scanning for them unless I turn the firewall off. I thought I opened up every protocol and every port there is on my server’s firewall for my client computer so what’s left?

I’m not sure what it all means but below should probably tell the story for someone who knows Linux networking better than me. I did “netstat -anp” on the client computer into three files where:

dump1 - was without NFS client running
dump2 - was with NFS client trying to locate NFS servers while the server firewall was on (failed)
dump3 - was with NFS client trying to locate NFS servers while the server firewall was off (succeeded)

You can see the difference between 1 & 2, and between 2 & 3 below:


quark: # netstat -anp >>dump1
quark: # netstat -anp >>dump2
quark: # diff dump1 dump2
quark: # diff -y --suppress-common-lines dump1 dump2
							      >	udp        0      0 0.0.0.0:37623           0.0.0.0:*        
							      >	udp        0      0 :::56995                :::*             
quark: # netstat -anp >>dump3
quark: # diff -y --suppress-common-lines dump2 dump3
							      >	tcp        0      0 192.168.17.111:34264    74.125.19.148:80 
							      >	tcp        0      0 192.168.17.111:58345    74.125.19.113:80 
							      >	tcp        0      0 192.168.17.111:38383    74.125.19.147:80 
							      >	tcp        0      0 192.168.17.111:34267    74.125.19.148:80 
							      >	tcp        0      0 192.168.17.111:37138    173.222.53.166:80
							      >	tcp        0      0 192.168.17.111:39416    74.125.19.99:80  
							      >	udp        0      0 0.0.0.0:35015           0.0.0.0:*        
udp        0      0 0.0.0.0:37623           0.0.0.0:*         <
udp        0      0 :::56995                :::*              <
							      >	udp        0      0 :::56037                :::*             
unix  3       ]         STREAM     CONNECTED     1792463 125 |	unix  3       ]         STREAM     CONNECTED     1794382 125
unix  3       ]         STREAM     CONNECTED     1792462 324 |	unix  3       ]         STREAM     CONNECTED     1794381 325
unix  3       ]         STREAM     CONNECTED     1792369 125 |	unix  3       ]         STREAM     CONNECTED     1794290 125
unix  3       ]         STREAM     CONNECTED     1792367 324 |	unix  3       ]         STREAM     CONNECTED     1794289 325
							      >	unix  3       ]         STREAM     CONNECTED     1792912 128
							      >	unix  3       ]         STREAM     CONNECTED     1792911 129
unix  3       ]         STREAM     CONNECTED     1787988 128 <
unix  3       ]         STREAM     CONNECTED     1787987 129 <

I use about the same config. What happens if you simply enter the IP of the server, than try to pick an NFS exported folder from the list? Works fine here.

Well, I found the solution which is to go through:

/etc/sysconfig/SuSEfirewall2

which is “well commented” and probably has some options that don’t show up in the user interface and make intelligent changes. Unfortunately I’m not sure which of my changes fixed this but I will refine my understanding and post the answer once I know – I changed too many things first time to know which was the solution so I need to backtrack.

It probably works but I like things to work fully as they are supposed to. In fact, I think if I put the name of server in for client then it will work but that’s a workaround I’m well… trying to workaround (sorry, couldn’t resist).

Anyway, see above as I am almost there. That is I have it working and now just need to refine my understanding.

Setting:

FW_ALLOW_FW_BROADCAST_EXT=“yes”

was the key.