NFS question..

Christopher Wagner chrisw at pacaids.com
Wed Aug 21 10:20:10 PDT 2002


I will look into both ideas, either TCP/NFS or SMB..  Both machines do
support SMB, so that might not be a bad idea..

As for leaving the IP/hostnames of the machines, are they real?  Are they
really the machines I'm talking about?  Hmm..  One never knows. :)

- Christopher Wagner
chrisw at pacaids.com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116


-----Original Message-----
From: ME [mailto:dugan at passwall.com]
Sent: Tuesday, August 20, 2002 8:03 PM
To: talk at nblug.org
Subject: Re: NFS question..


On Tue, 20 Aug 2002, Christopher Wagner wrote:
> I'm trying to set-up a NFS mount from my home computer to my database
server
> at work for incremental backups.  I get this message on the Unixware 7.1.1
> box (database server):
> UX:nfs mount: ERROR: access denied for milo.waggie.net:/pac
>
> and this message on the Redhat Linux 7.3 box at home:
>
> Aug 20 17:02:57 milo rpc.mountd: refused mount request from
> leg-66-247-88-195-STK.sprinthome.com for /pac (/pac): illegal port 56726
>
> My /etc/exports on milo is:
> #
> /pac    66.247.88.195(rw)
>
> I'm running iptables on milo and the database server is behind a Netopia
> firewall product.  What do I need to open up on the firewalls to get this
to
> work?  I already opened up 4069/udp (I think that's the one) on milo.
>
> Thanks in advance for any help provided!! :)

Knowing ahead of time, NFS does not stand for "Network File System" like
many would have you believe, it is actually, "No Frickin' Security"; such
is the case with many services over UDP. (TCP based NFS may add some
security with NFSv3/TCP, but.... *sigh*)

You probably want the "insecure" option for nfs which allows clients to
bind from ports > 1024.

#
/pac    66.247.88.195(insecure,rw)

It is this line that suggests to me this to be the answer:
> Aug 20 17:02:57 milo rpc.mountd: refused mount request from
> leg-66-247-88-195-STK.sprinthome.com for /pac (/pac): illegal port 56726
                                                        ^^^^^^^^^^^^^^^^^^

client using non-reserved port ( >1024 )

You may want to
# man exports
to find out about other options.

Know this:

even though you specify the IP of a host to connect to that share, UDP
packets are easy to forge when compared to "sessions" with TCP!

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t at -(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html


SPAM: ---- Start SpamAssassin results
SPAM: -4.4 hits, 5 required;
SPAM: * -4.4 -- 'In-Reply-To' line found
SPAM:
SPAM: ---- End of SpamAssassin results



More information about the talk mailing list