From: Trond Myklebust Subject: Re: [NFS] nfs-over-tcp still needs udp ports? (SLES 11) Date: Fri, 08 May 2009 08:27:42 -0400 Message-ID: <1241785662.19651.32.camel@heimdal.trondhjem.org> References: <4A02DAA8.6050005@bio.ifi.lmu.de> <4A02FDC3.9090709@bio.ifi.lmu.de> <4a02ffdf.1ac1f10a.637d.ffffbc3a@mx.google.com> <4A03CB1C.7020703@bio.ifi.lmu.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: Leonardo Chiquitto , nfs@lists.sourceforge.net, Tom Talpey To: Frank Steiner Return-path: Received: from neil.brown.name ([220.233.11.133]:42225 "EHLO neil.brown.name" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753578AbZEHM3r (ORCPT ); Fri, 8 May 2009 08:29:47 -0400 Received: from brown by neil.brown.name with local (Exim 4.69) (envelope-from ) id 1M2PD0-0000NN-Nu for linux-nfs@vger.kernel.org; Fri, 08 May 2009 22:29:46 +1000 In-Reply-To: <4A03CB1C.7020703-G0GEQqhI7DhYiKXMg8wJIg@public.gmane.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Fri, 2009-05-08 at 08:03 +0200, Frank Steiner wrote: > Tom Talpey wrote > > > > In particular, if you do NLM file locking, there is a server callback (NLM > > "granted") which the server may choose to issue via UDP. If this callback > > is not seen by the client due to firewall blocking, there may be a 30-second > > pause before a client retry unblocks the caller. > > > > Also, the NSM (status monitor) exchanges are often performed via UDP. > > Again, if you are using NLM and the server reboots, the client may not > > become aware of this promptly, and lock reclaim will be affected. > > > > OTOH, if your applications don't use locking on the NFS mounts, you'll > > probably be fine. > > We do use locking on nfs mounts, so I wonder what that would mean for the > firewall. Currently I see connections from the NFS server *from* port 700 > and 111 (we've fixed mountd port to 700) to (it seems) arbitrary udp > ports on the NFS clients. > > Would that be enough to allow those? Or could the source ports be arbitrary > with NLM, too? I.e., would we have to open all udp traffic from the NFS > servers to all the NFS clients? Most NFS servers allow you to pin the ports used by the lockd service. In Linux, the kernel boot parameters lockd.nlm_tcpport and lockd.nlm_udpport will suffice to do it for you (see linux/Documentation/kernel-parameters.txt). Trond ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ NFS maillist - NFS@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfs _______________________________________________ Please note that nfs@lists.sourceforge.net is being discontinued. Please subscribe to linux-nfs@vger.kernel.org instead. http://vger.kernel.org/vger-lists.html#linux-nfs