[geeks] An NFS conundrum

Phil Stracchino phil.stracchino at speakeasy.net
Mon Feb 19 13:25:00 CST 2007 

Mike Meredith wrote:
> On Sun, 18 Feb 2007 22:29:53 -0500, Phil Stracchino wrote:
>> share -F nfs -o
>> root=@10.24.32.0/24,rw=@10.24.32.0/24,ro=@10.24.33.0/24 -d
>> "exports"            /export
>>
>> minbar:/export  /minbar         nfs
>> rw,rsize=8192,wsize=8192,soft,suid      0   0
> 
> Well, trying to mount it rw when it's exported ro isn't going to help.
> I wouldn't have thought it would give an i/o error for an ls though,
> but that may be worth fixing.

oops...  good call.  lemme fix that and retry.

 Incidentally if you're going to specify
> the NFS blocksize, I'd benchmark it carefully; Linux can do better than
> 8Kbytes these days, and it's definitely a suboptimal block size.

Yeah, that would probably stand some benchmarking.  I'm not certain how
best to go about it to control for the effects of caching though.  Any
suggestions?  I get enough throughput to almost saturate my network as
it is.


>> pass log quick on $if_internal from ($if_backbone) to ($if_wireless)
>> pass log quick on $if_internal from ($if_wireless) to ($if_backbone)
> 
> That looks like you're logging the traffic; so what traffic are you
> getting ?

The traffic across the firewall, as far as I can tell, looks completely
normal, exactly as it should.  I've got minbar's nfsd running verbose,
but still nothing's being logged there.  Meanwhile, the problem client
is logging errors that say the nfs server isn't responding.  Kind of
makes me think whatever's going wrong is going wrong entirely on the
client side.


>> (These rules are here just while I'm debugging this problem.  Once I
>> have it solved, access to 10.24.32.0/24 from hosts on 10.24.33.0 will
>> be restricted much as is access from the outside world, which is to
>> say that only trusted hosts on 10.24.33.0/24 can access all hosts on
>> 10.24.32.0/24.)
> 
> You can trust any host on a network segment only as much as the least
> trustworthy host on that network segment. Sorry I'm letting my security
> fascist tendencies show :)

Oh yeah, sure.  Stipulated.  But basically anyone who's connected on
that wireless segment is either a family member or a houseguest anyway.


-- 
 It's not the years, it's the mileage.
 Phil Stracchino              phil.stracchino at speakeasy.net
 Renaissance Man, Unix generalist, Perl hacker, Free Stater
 Landline: 603-429-0220                Mobile: 603-320-5438

More information about the geeks mailing list