General :: Writing Files From NFS Client To Server Behind Firewall ?
Jan 25, 2010
For some time now, I'm having some problems with configuring an NFSv4 server to let it work with a firewall. I've already searched to web, but I was unable to find a solution that works for me.
The situation is as follows:
I'm trying to connect an NFS client to an NFS server that is behind a firewall. I don't have access to this firewall, but I can contact the administrator to open some ports for me. I already did this for opening port 2049.
The result is that the client can read files from the server, but is unable to write files to the server. I believe that for writing an extra RPC-connection needs to be set up. However, the ports on which the RPC-connection is set up, seem to be different for every connection (I verified this using 'netstat -tn').
Clearly, this is a problem since the server is protected by the firewall.
Thus, what I want to do is configure the server in such a way, that it always uses the same server-side port(s) to connect with the writing clients (just like 2049 for reading). I've already tried to configure the /etc/default/nfs-kernel-server and /etc/default/nfs-common files, but that hasn't really worked out yet.
Note: Because I don't like to contact the system admin every day, I hooked up 2 computers (client/server) on which I set up the same configuration (without the firewall). I'd like to see it working on those machines first (that is, 'netstat -tn' showing the correct port), before I contact the admin to open some extra ports.
I have a small home-office network. On that network I have two linux computers, one is a client the other a server.
On the server I have NFS Server setup and mount some NFS exports on the client computer.
On the server I have the firewall on and here it becomes a little tricky.
Since both the server and the client connect to the router the interface (eth1) is theoretically both an internal & external zone.
The router is commercial grade and therefore has a good firewall on it which is also setup. Therefore the firewall on the server is really more of a backup than a necessity. But that's fine, and by having the server's firewall on 'fail2ban' is able to work which I like to have working so I don't want to just turn off the server firewall even though I have good security from the router.
However, when I turn on the server's firewall, the client computer cannot see the NFS server when scanning for server -- done by: clicking on "Choose" next to "NFS Server Hostname" when adding an NFS share in the NFS Client in YaST. Clearly something is being blocked even though I have both "NFS Client" and "NFS Server Service" allowed in the server firewall. The Firewall config. files for these are below.
The Firewall configuration is pretty much "out of the box". That is I have the services I need opened up for the external zone, the other zones are left at their default which means the internal zone, although not used (i.e.: attached to any interface), is completely open.
The perfect solution I guess would be to setup my client computer to connect through a different NIC (perhaps eth0), make that the "Internal Zone" and therefore allow all traffic through to it while still blocking the server from the external zone. However, I cannot make that physical change to my network for now so I am looking for an in between (non-perfect) solution.
In this case I am guessing that means opening up extra NFS ports to the external zone so I have full NFS functionality. I don't mind this because like I said, the router firewall is the main line of defense anyway.
So, given all of the above could someone tell me what I would need to additionally open up in the server firewall to make the NFS server detection work on the client while the firewall was on. Or, if you have a cleverer/better solution without me changing my physical network that would be great.
Hopefully I have written this in enough detail and clearly enough so that all the parameters are clear but if not, feel free to ask me what you like and I'll try to make it clear.
Code: ## Description: Firewall Configuration for NFS kernel server. # # Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed. # More may be supported in the future. code....
I have vsFTPd running on my server. If I connect via 127.0.0.1, then all is well and I can use the "ls" command to get a directory listing. However when trying this remotely, the FTP client hangs and I do not get a directory listing.
I have ssh access to a red hat computer in my network which has internet connectivity. i have downloaded a particular tarball to that computer using wget. Now how can i copy that file to my system.
I just finished set up a PXE server, and was wondering is it possible to automated save/redirect files from the client into server? Basically, test will be running on client, and wanted to save the result(text file) into server after done testing.
I have tried to configure an Enemy Territory Server in an way that a common user could run it just executing a command line. The first thing I did was writing a script like that
and then putting it in the /usr/local/bin directory. Ok, the things seem to be fine, but then I realized that the program tries to write some config and log files. I noticed that because some warnings appear in the command line, like that Couldn't write etconfig.cfg always that I run the command as a normal user. On the other hand, if I give writing permission to these files, all the warnings disapear. But I don't think it is a good way, because someone could change these files by hand, what would not be good.
My last try was to set the suid of the script up, with the command chmod u+s /usr/local/bin/etded-server But as I already knew that suid does not work well with shell script I wrote a C source like that:
I've set up a Lan-to-Lan (routed) OpenVPN tunnel. For redundancy I want to set up a second VPN tunnel on a fallback gateway/firewall on the client side. Currently, both sides (server/client) know how to route packets across each others physical LAN. So no NAT is used. When the primary gateway (fw1) is connected to the VPN server all traffic runs via the fw1 tunnel. Than when the secondary gateway (fw2) connects to the VPN server and fw1 is still connected all traffic for fw1 will be delivered to fw2 and effectively destroying traffic intended for fw1. This is of course no problem if I first shutdown (fence) fw1, than set up fw2 to use the gateway IP address from fw1 and set up the VPN tunnel to the VPN server. Effectively replacing fw1 with fw2 on the client side. However, I can't seem to find a decent howto.
I am also exploring the possibility to let both tunnels active and let OpenVPN (or another tool) decide how to route packets back and forth the different LANs. A virtual IP between two gateway's both running a VPN or something similar. This would be the preferred method of course. However, I don't know how to tackle this one but I'm pretty sure there are people out there who are happy to share their 2 cents.
how to match to find matches in two different files when comparing timestamps. The fields I'm wanting to match up are in the format:
Jul 26 09:33:02
I have tried reading the file line by line and using awk '{print $1,$2,$3}' which only gets and stores the timestamp in one of the files. I've been looking around and saw this example:
awk 'FNR==NR{!a[$3]++;next }{ b[$3]++ } END{ for(i in a){ for(k in b){ if (a[i]==1 && i ~ k ) { print i } } } }' $FILE $FILE2
Which sorta works but its way over my head at the moment. The two files can be found in your /var/log/syslog and /var/log/auth.log (using Ubuntu 11.04)
How do you send files, save or other wise write to CD using Mandriva Linux? On windows you get a helper menu. Linux does not offer this option in it's helper file and you can't click and drag a file in the CD folder. The dialog box reads "you do not have permission to write to this folder" when I try to drag it in and I can't change the permission signed in as Root.I don't have a clue. I wish Linux Questions would add a emotioncon that has the expression " what the hell buddy? are you on ten hits of acid?
The server is named alpha and is running Archlinux. It is exporting a directory named /files. The server is a couple of years old and I have accessed it extensively from clients running Arch, Suse, PCLinuxOS, and maybe some others, all with no problems. The clients (3 of them) are new installations of Linux Mint 10 (Julia). When I mount the nfs all of the nfs files are visible as expected. However, the owner/group is drastically different than on the server.
I might add that I have set up user id's and group id's the same. My user is 1003 on all systems, and the users group is 100 on all systems. When I am on alpha (via ssh), here is a partial file listing.
Code: [dick@alpha dick]$ ls -l total 9740 drwxr-xr-x 3 dick users 4096 May 16 2009 airplane -rw-rw-r-- 1 dick users 240978 Jun 27 2009 Alice Grad 1934.pdf -rwxr-xr-x 1 dick users 444 Jul 8 2007 alpha2ast -rw-r--r-- 1 dick users 444 Sep 2 2009 alpha2charlie
[Code]...
If have searched the Mint forums, LQ forums, and google in general. I must be missing something in my search because I can't believe that no one else has this same problem and I am having it on 3 different boxes.
I'm carrying out a project for my university (CIT in Cork, Ireland) and I'm using CentOS running over WMware. I have a server and a client. The server has no GUI (command line UI) while the client has a UI. I need to install a Simple Forum Machine application and I'm told to FTP the files into the server. I figured out that the best option is to load the files in the client via the GUI and then ftp them in the server. How do I transfer the files from a the client t o the server using FTP? I'm totally new to Linux so the more details the better. Also I'm trying to mount a USB key on the server but have had no luck.
I configured openLdap in RHEL5 on virtual achines,everything is working fine, I created a user called ldapuser,in LDAP server and i created a home directory for ldapuser in my LDAP client, now i can able to login to the both Server and client with ldapuser account....
Now here what am expecting is i want to export my server's home directory to the client, i dont want to create home directories manually in the client machine, i googled about that, and it can be done through autofs.....
what need to be done on the client and server side.
I have CentOS 5.5 distribution with Dom0 and DomU installed. I try to access Dom0 files during vsftpd server from DomU during ftp client. I successfully login with root and simple user, but when I try to list (or cd to some directory) in user home the SELinux prevent it from me. I get this in audit.log:
i have configured the squid for my lan. My lan has three redhat 5.3 web servers. Now by using proxy server, i wish to give access to external clients for my web server and restrict to local client, accessing wan through port 80
I have a desktop computer running Debian Lenny, a 56 K modem, and a dial-up account, currently configured like this: computer -> modem -> UPS -> phone jack
When I run off a Knoppix live CD, I can use kppp to configure pppd (using PAP/CHAP authentication and hardware control flow) to dialup and surf. When I try to user kppp to configure pppd exactly the same way on my hard drive installation, I get nothing. Both my Knoppix live CD and Debian Lenny use exactly the same version of kppp, but the pppd related files in /etc/ppp look a bit different.
Under both Knoppix and Debian Lenny hard drive installation, when I try to connect, the login debug window of kppp shows:
Code: ATZ OK ATM1L1 OK ATDT [phone number]
At this point I hear the modem dialing out, and when using Knoppix, after a few seconds I see
Code:
Which I think corresponds to my route to the InterNet being established through my ISP. When using the hard drive install, I never see the CONNECT, and all indications are that my modem is not sending authentication information at all, but getting stuck right after dialing out, so that my ISP gets a phone call from a modem which... refuses to speak. I never had any problems before, so I am baffled.
So apparently my system is currently misconfigured in some way which prevents point to point protocol from getting out.
Questions: I have a firewall on my computer which I set up using guarddog. I have enabled point to point protocol from internet zone to local zone. I know that ppp is a symmetrical protocol, but my understanding is that I do not need to enable point to point from local to internet zone. I have not enabled irc protocol because my understanding is that this is only relevant to software flow control using chat scripts. Does this sound correct? Is there some additional protocol I need to allow in order to use pppd to dial out?
When I reboot my computer (off the hard drive) I sometimes see that the system complaining about a failure to stop every process, and sometimes I see mention of an eth0.pid. I have been looking for lock files; would they all be in /var/run?
When I use kppp to configure pppd, I want to do that as my ordinary user for at least two reasons, correct? don't want to run pppd as root user for security reasons kppp is a GUI and root user can't use X (on Debian)
So I should see in home directory of my ordinary user .kde/share/config/kppprc .kde/share/apps/kppp
But not in /root directory, correct? What pppd related processes should I see with ps -ef if everything is working?
After metering the power being used daily in my computer room, I decided that I needed to get somewhat greener. So I am updating all my equipment and getting rid of the old towers and power hungry equipment. So far so good, except for the box running Smoothwall.
It is an old IBM 300GL from the '90s that is apparently never going to die. But it is noisy and not exactly low powered and has to be on all the time. The only machines that I have presently that can be used as a replacement are full blown AMD 3000 and 6000's, and I hate to waste one of those just to be a firewall. I can find some mini cube systems that are very low powered - some even run on just a wall cube - but can't find one with two ethernet ports, and of course there is no plugin buss on a tiny box.
how to implement proxy server with firewall and the client users should be authinticated by asking username & password while opening their web browsers and finally i want to see the websites visted list of all the client computers On cent os 5.3
I am trying to write .pgm images using the O_DIRECT flag in open().I have a char* buffer which has the image data. I know that I have to align the buffers and have done that using posix_memalign() yet only a part of the image gets written.Has someone used O_DIRECT for writing files successfully?
i tried to connecting from a windows7 client to a linux server through vnc server.But its very slow , is there any alternative for vnc . i heard that samba can be used as a remote desktop tool if its true please reply with configuration details.
I want to perform an action with a shell script and then log the event in a file in /var/log. However, I keep getting permission denied error messages.
Does anyone have some material about statistics using ubuntu / linux server, or a text which generally describes the ubuntu server?I need urgent, i'm writing specialization work about administration apache and ftp server on ubuntu 10:10 server, so I need something for the conclusion.
I will be relocating to a permanent residence sometime in the next year or two. I've recently begun thinking about the best way to implement a home-based network. It occurred to me that the most elegant solution might be the use of VM technology to eliminate as much hardware and wiring as possible.My thinking is this: Install a multi-core system and configure it to run several VMs, one each for a firewall, a caching proxy server, a mail server, a web server. Additionally, I would like to run 2-4 VMs as remote (RDP)workstations, using diskless workstations to boot the VMs over powerline ethernet.The latest powerline technology (available later this year) will allow multiple devices on a residential circuit operating at near gigabit speed, just like legacy wired networks.
In theory, the above would allow me to consolidate everything but the disklessworkstations on a single server and eliminate all wired (and wireless) connections except the broadband connection to the Internet and the cabling to the nearest power outlets. It appears technically possible, but I'm not sure about the various virtual connections among VMs. In theory, each VM should be able to communicate with the other as if it was on the same network via the server data bus, but what about setting up firewall zones? Any internal I/O bandwidth bottlenecks? Any other potential "gotchas", caveats, issues? (Other than the obvious requirement of having enough CPU and RAM).Any thoughts or observations welcome, especially if they are from real world experience in a VM environment. BTW--in case you're wondering why I'm posting here, it's because I run Debian on all my workstations/servers (running VirtualBox as a VM for Windows XP on one workstation).
I have a doubt regarding the 389 Server Client Architecture. Say, I have 389 Server working and I have few Linux Clients. Now you say that if 389 client is configured it will login through credentials which is configured in Server. So what about the local Users on that Client.How will normal users in the Client login?
I have a Nis server on Suse 11 which is configured using Yast and nis clients on Suse and CentOs .All clients which is on the Suse Os is working fine. But on CentOs , users couldn't login using nis username.I have mounted home directory using nfs in fstab . I can switch to nis users homedirectory only when i am root. But nis users could'nt login on reboot.' ypcat passwd username ' is showing the output . No selinux is enabled in the client .Is there is any problem with Suse server to Centos Client in nis ??
