RE: IPF Rules with a NFS Cluster
This is a discussion on RE: IPF Rules with a NFS Cluster within the IPFilter forums, part of the System Security and Security Related category; Shawn, You still haven't done a very good job of explaining your environment. What OS are you using? What ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
RE: IPF Rules with a NFS Cluster
Shawn,
You still haven't done a very good job of explaining your environment. What OS are you using? What cluster software? Is your IP Filter on the client or the server? I have some experience with Solaris and VCS and Sun Cluster and NFS behind a firewall. It's not pretty. Your biggest problem is going to be the RPC Portmapper which assigns RPC service ports. These ports can and do change every time the NFS server is rebooted. Your best bet is to configure your NFS server to use public ports, or wait for NFS v4 which was designed to be used in a firewalled environment. If your IPFilter is on the server: You will also need to configure your client and IPF on the server to use the virtual IP of the cluster, not the IP address of the interface. I'm not sure how well IP Filter will handle using the virtual instead of the physical. Also, you will need to configure IP Filter to share the state information between the two cluster nodes so when one fails, the other has a copy of the state table. I don't know what the state of IPF's state table synchronization is, so you'll need to research that as well. As I said, it's not going to be fun. Charles > -----Original Message----- > From: owner-ipfilter@coombs.anu.edu.au [mailto:owner- > ipfilter@coombs.anu.edu.au] On Behalf Of Shawn Sanders > Sent: Tuesday, November 25, 2003 9:50 PM > To: 'David S. '; Shawn Sanders > Cc: 'ipfilter@coombs.anu.edu.au ' > Subject: RE: IPF Rules with a NFS Cluster > > NFS Cluster as in a group of servers providing fail over service if one of > the two servers go down. We are given a list of IP addresses to map our > Application directories. The vfstab points to the ip address of one of > these ip addresses. The request is serviced by one of two ip addresses > (primary and seconday). Secondary only if the primary is down. > > So doing a snoop of my connection my request goes to x.x.x.104 (my home > directories) in this case and the response comes back to me from x.x.x.101 > (primary) or x.x.x.102 (secondary). > > Things work fine with ipf set to > pass in all > pass out all > > > -----Original Message----- > From: David S. > To: Shawn Sanders > Cc: ipfilter@coombs.anu.edu.au > Sent: 11/25/2003 6:38 PM > Subject: Re: IPF Rules with a NFS Cluster > > > I think you need to explain your set-up a bit more. What do you > mean by an "NFS Cluster" and "map the drive to one ip address"? > Where is the system running IPF sitting in relation to the NFS > servers and clients? Are you also using NAT? > > David S. > > > 
|
Linear Mode
