Re: [fw-wiz] NFS and Cisco

• Previous message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• In reply to: hermit: "[fw-wiz] NFS and Cisco"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: hermit <hermit921@yahoo.com>
Date: Mon, 21 Nov 2005 18:15:49 -0800

Hermit,

Without knowing too much details two things stand out in your note: Fragments
and drops.

That seems to suggest that there are two things happening in your network:

- Mismatched MTU's at various places. Do you have gigabit, and if you do is
  anything set to use jumbo MTU's? (Particularly servers?) As soon as you
  go down to 10/100 you're back to 1514 byte mtu's again, so you'll have
  to fragment there.
- Firewalls have a bit of an opportunistic tendency to drop ip fragments.
  (For good reason, lots of ways of evading if they were to pass ip frags
   untouched, see fragroute(r) etc.)

I would chase your 'source' of fragments first and if you can't figure that
out see if you can tweak the firewall/routers to deal a bit more politely with
frags. (However be aware if you're tweaking the firewall to be more liberal
with regard to frags you may open yourself up a bit, see aforementioned tools.)

Not to be too blunt, but why are you forced to do NFS over a firewall? There
is a myriad of security problems you potentially open up. (portmap, statd,
lockd, potentially nasty rpc level attacks.)

                roel

> I have been seeing NFS problem on my network lately, after nfs worked well fo
> r years. The major
> change is that the network folks have put in a lot of new Cisco equipment. W
> hen I run tcpdump on
> the nfs server and client I see client sending packets to the server, server
> getting them and
> replying, but the reply packets never make it to the client. I often see fra
> gment flags on the
> packets, and I started to wonder if Cisco switches or routers might have a ha
> bit of dropping
> fragmented packets. When packets go through the Nokia firewall, some times p
> ackets get dropped
> because the port doesn't seem to be recognized as part of the nfs connection,
> and some times
> packets don't get dropped at all. Any suggestions will be welcome.
>
> hermit921
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Ravdal, Stig: "RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good"
• In reply to: hermit: "[fw-wiz] NFS and Cisco"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: process stuck in nfsfsync state ... >> server is wedged, not the client. ... Comparing the client and server traces, it looks like fragments in the ... loss for individual packets adds up. ... (freebsd-stable) PPPOE xDSL Firewall with IPTABLES ... don't know how to modify my firewall to account for this. ... Starts and stops the IPTABLES packet filter \ ... # Kill malformed XMAS packets ... # server/client to server query or response ... (comp.os.linux.networking) IP Fragmentation issue ... This server also functions as our mail server. ... All of the fragmented packets have an offset ... Time Source Destination Protocol Info ... Flags: 0x02 (More Fragments) ... (comp.unix.sco.misc) RE: Firewall Rule Set not allowing access to DNS servers? ... I changed the DNS rules as you suggested, and the firewall works perfectly - ... > # Allow out access to my ISP's Domain name server. ... > so your udp packets never match this rule and default to ... (freebsd-questions) Re: Cant ping ... You mention that the server is seeing the packets, ... have you tried making sure the XP firewall is ... is on the same network as the XP machine. ... (microsoft.public.windows.server.sbs)