NFS Magic and migrane headaches

divinsal · October 17, 2011, 11:15pm

Gentlefolks,

I just spent 3 days trying to get NFSv4 working and I finally found the problem (mine) but I find I did not understand how this particular thing worked. Allow me to elaborate:

I have 2 openSuSE 11.4-Tumbleweed X-86-64 machines. I wanted to share some directories on each with the other. Call 'em Juno and Zeus. The shares on Juno were readily recognized on Zeus but the shares on Zeus were NOT recognized on Juno. I went bit for bit comparing everything I could see until I found, on Zeus, under Yast2->Users and Security->Firewall->Allowed Services screen a teeny,little box labeled “Protect Firewall From Internal Zone” which was checked. I unchecked it and all manner of wonderful things happened, namely, I could mount the Zeus shares on Juno. The interfaces are wireless LANs. Both are in the “External” zone.

So while I am happy that it is working, I am confused as to why since I have NOTHING in the “Internal” zone.

I am curious as to what happened and when is it appropriate to check the little box. I am an egg…

Thanks in advance…

robin_listas · October 18, 2011, 1:18am

On 2011-10-17 23:16, divinsal wrote:

> could see until I found, on Zeus, under Yast2->Users and
> Security->Firewall->Allowed Services screen a teeny,little box labeled
> “Protect Firewall From Internal Zone” which was checked.

Which is a good thing to have enabled.

> I unchecked it
> and all manner of wonderful things happened, namely, I could mount the
> Zeus shares on Juno. The interfaces are wireless LANs. Both are in the
> “External” zone.
>
> So while I am happy that it is working, I am confused as to why since I
> have NOTHING in the “Internal” zone.

You probably have the wi-fi defined as internal zone.

> I am curious as to what happened and when is it appropriate to check
> the little box. I am an egg…

Without it, you firewall does not protect you, because it assumes the
internal network is safe. The typical naive assumption is to suppose the
internal network is safe, but its better not to assume such a thing -
specially where a Wi-Fi is involved.

If you define the Wi-Fi as internal, then leave protect for internal on. Or
even better, define it as external.

However, NFS over a firewall is not that trivial.

This is what I use:

FW_CONFIGURATIONS_EXT=“nfs-client nfs-kernel-server”
FW_SERVICES_ACCEPT_EXT=“192.168.1.0/24,rpc,nfs”

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)