Re: IPF Rules with a NFS Cluster

David S. wrote:
>>I have some experience with Solaris and VCS and Sun Cluster and NFS
>>behind a firewall. It's not pretty. Your biggest problem is going to
>>be the RPC Portmapper which assigns RPC service ports. These ports can
>>and do change every time the NFS server is rebooted. Your best bet is
>>to configure your NFS server to use public ports, or wait for NFS v4
>>which was designed to be used in a firewalled environment.
>
> Another way to handle this would be to configure the system to boot up
> with a basic set of IPF rules. Then, after the NFS services have
> started, run a script (out of 'rc.local', or something) that parses
> the output of "rpcinfo -p localhost" for the port numbers used by the
> NFS RPC services, and then builds a new set or IPF rules using those
> numbers. I haven't tried that, but it shouldn't be too hard.

You can also just bypass the portmapper and mount daemon by getting ahold of
the filehandles once and writing a little C program to mount each filesystem
using the prefetched filehandle. If you change your exports, or replace an
exported directory, you'll have to get the new filehandle. NFS talks on port
2049, and lockd talks on port 4045 on Solaris; it's only the mount daemon that
moves. (The quota daemon also moves; just don't enable NFS quotas.) With this
strategy, you can just pass 2049, and 4045 if you're using NFS locking, and
you're done for good.

But I don't think this was the guy's problem, actually. I got the impression
he was having a problem with strong vs. weak end system model. See if setting
ip_strict_dst_multihoming to 1 makes a difference.

--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>