I have a small home-office network. On that network I have two linux computers, one is a client the other a server.
On the server I have NFS Server setup and mount some NFS exports on the client computer.
On the server I have the firewall on and here it becomes a little tricky.
Since both the server and the client connect to the router the interface (eth1) is theoretically both an internal & external zone.
The router is commercial grade and therefore has a good firewall on it which is also setup. Therefore the firewall on the server is really more of a backup than a necessity. But that’s fine, and by having the server’s firewall on ‘fail2ban’ is able to work which I like to have working so I don’t want to just turn off the server firewall even though I have good security from the router.
However, when I turn on the server’s firewall, the client computer cannot see the NFS server when scanning for server – done by: clicking on “Choose” next to “NFS Server Hostname” when adding an NFS share in the NFS Client in YaST. Clearly something is being blocked even though I have both “NFS Client” and “NFS Server Service” allowed in the server firewall. The Firewall config. files for these are below.
The Firewall configuration is pretty much “out of the box”. That is I have the services I need opened up for the external zone, the other zones are left at their default which means the internal zone, although not used (i.e.: attached to any interface), is completely open.
The perfect solution I guess would be to setup my client computer to connect through a different NIC (perhaps eth0), make that the “Internal Zone” and therefore allow all traffic through to it while still blocking the server from the external zone. However, I cannot make that physical change to my network for now so I am looking for an in between (non-perfect) solution.
In this case I am guessing that means opening up extra NFS ports to the external zone so I have full NFS functionality. I don’t mind this because like I said, the router firewall is the main line of defense anyway.
So, given all of the above could someone tell me what I would need to additionally open up in the server firewall to make the NFS server detection work on the client while the firewall was on. Or, if you have a cleverer/better solution without me changing my physical network that would be great.
Hopefully I have written this in enough detail and clearly enough so that all the parameters are clear but if not, feel free to ask me what you like and I’ll try to make it clear.
## Description: Firewall Configuration for NFS kernel server.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS Server Service
## Description: Opens ports for NFS to allow other hosts to connect.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr mountd nfs nfs_acl"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
## Description: Firewall Configuration for NFS client.
#
# Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed.
# More may be supported in the future.
#
# For a more detailed description of the individual variables see
# the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2
#
## Name: NFS
Client
## Description: Opens ports for NFS client to allow connection to an NFS server.
# space separated list of allowed TCP ports
TCP=""
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC="portmap status nlockmgr"
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""