Re: [fw-wiz] Configuring firewall with nfs - problem!

From: Luca Berra (bluca_at_comedia.it)
Date: 05/20/03

  • Next message: Roy Culley: "[fw-wiz] Sunscreen EFS 3.1 stealth mode and NAT"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 20 May 2003 09:42:29 +0200
    

    On Mon, May 19, 2003 at 02:12:46PM +0200, Johan Glimming wrote:
    >Dear All,
    >
    >I have a problem with my Redhat 9 installation. I am trying to enable NFS
    >but the respective ports are rejected. This is the contents of my
    >/etc/sysconfig/iptables, i.e. the firewall rules:

    :(

    let's see...
    >
    ># Enable NFS, Webb, FTP, SSH for sputnik
    >*filter
    >:INPUT ACCEPT [0:0]
    >:FORWARD ACCEPT [0:0]
    >:OUTPUT ACCEPT [0:0]
    >:RH-Lokkit-0-50-INPUT - [0:0]
    >-A INPUT -j RH-Lokkit-0-50-INPUT
    this rule says in input chain JUMP to 'RH-Lokkit-0-50-INPUT'
    >-A FORWARD -j RH-Lokkit-0-50-INPUT
    >
    ># NFS rules
    >-A INPUT -f -j ACCEPT -s 192.168.0.5
    <snip>
    ># Other rules
    ->>>>>> it JUMPS HERE <<<<<<<-
    <snip>
    >-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
    rejects tcp packets
    >-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
    rejects udp packets
    >COMMIT
    now if there is still something left to process (not tcp[start of
    connection] or udp) it goes BACK to your NFS rule, but nfs has already
    been dropped.

    Please read the iptables howto at
    http://netfilter.samba.org/documentation/HOWTO/
    it is very much educative.

    Also the firewall rules generated by lokkit on rh do suck, ditch 'em and
    rewrite.

    L.

    -- 
    Luca Berra -- bluca@comedia.it
            Communication Media & Services S.r.l.
     /"\
     \ /     ASCII RIBBON CAMPAIGN
      X        AGAINST HTML MAIL
     / \
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Roy Culley: "[fw-wiz] Sunscreen EFS 3.1 stealth mode and NAT"