[vine-users:075489] Vine4.0で NFS接続する場合のフィルタリング

From: kaz <okui@xxxxxxxxxxxx>
Subject: [vine-users:075489] Vine4.0で NFS接続する場合のフィルタリング
Date: Sat, 9 Dec 2006 11:33:26 +0900
こんにちは　奥井です。

tcpdumpでパケットを調べました。
NFSサーバでフィルタリングした状態でマウントしてみました。その時のパケットは
[root@etower tam]# /usr/sbin/tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:17:53.855217 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: S 3828991435:3828991435(0) win 5840 <mss 1460,sackOK,timestamp 460216 0,nop,wscale 2>
09:17:53.855576 IP 192.168.1.2.sunrpc > 192.168.1.7.41332: S 3179269324:3179269324(0) ack 3828991436 win 5792 <mss 1460,sackOK,timestamp 1561881741 460216,nop,wscale 0>
09:17:53.855667 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: . ack 1 win 1460 <nop,nop,timestamp 460216 1561881741>
09:17:53.856195 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: P 1:61(60) ack 1 win 1460 <nop,nop,timestamp 460217 1561881741>
09:17:53.856382 IP 192.168.1.2.sunrpc > 192.168.1.7.41332: . ack 61 win 5792 <nop,nop,timestamp 1561881741 460217>
09:17:53.856867 IP 192.168.1.2.sunrpc > 192.168.1.7.41332: P 1:33(32) ack 61 win 5792 <nop,nop,timestamp 1561881741 460217>
09:17:53.856931 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: . ack 33 win 1460 <nop,nop,timestamp 460217 1561881741>
09:17:53.857269 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: F 61:61(0) ack 33 win 1460 <nop,nop,timestamp 460217 1561881741>
09:17:53.857457 IP 192.168.1.2.sunrpc > 192.168.1.7.41332: F 33:33(0) ack 62 win 5792 <nop,nop,timestamp 1561881741 460217>
09:17:53.857519 IP 192.168.1.7.41332 > 192.168.1.2.sunrpc: . ack 34 win 1460 <nop,nop,timestamp 460217 1561881741>
09:17:53.857591 IP 192.168.1.7.0 > 192.168.1.2.2049: 0 proc-822083584
09:17:56.855387 IP 192.168.1.7.0 > 192.168.1.2.2049: 0 proc-822083584
09:17:58.720453 IP 192.168.1.1.14396 > 192.168.1.6.snmptrap:  Trap(121)  .1.3.6.1.4.1.3955.2.2.1 192.168.1.1 enterpriseSpecific s=1 44573345
[|snmp]
09:17:58.845893 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:17:59.595375 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:18:00.345299 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:18:02.855753 IP 192.168.1.7.1094926659 > 192.168.1.2.2049: 0 proc-822083584
09:18:05.971374 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:18:06.720651 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
09:18:07.470593 IP 192.168.1.14.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

20 packets captured
40 packets received by filter
0 packets dropped by kernel

NFSサーバでフィルタリングを無効にした状態でマウントしてみました。その時のパケットは
[root@etower tam]# /usr/sbin/tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:51:46.934916 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: S 1179398383:1179398383(0) win 5840 <mss 1460,sackOK,timestamp 1868398 0,nop,wscale 2>
10:51:46.935047 IP 192.168.1.2.sunrpc > 192.168.1.7.52555: S 272880772:272880772(0) ack 1179398384 win 5792 <mss 1460,sackOK,timestamp 1562445141 1868398,nop,wscale 0>
10:51:46.935129 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: . ack 1 win 1460 <nop,nop,timestamp 1868398 1562445141>
10:51:46.935640 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: P 1:61(60) ack 1 win 1460 <nop,nop,timestamp 1868399 1562445141>
10:51:46.935819 IP 192.168.1.2.sunrpc > 192.168.1.7.52555: . ack 61 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.936278 IP 192.168.1.2.sunrpc > 192.168.1.7.52555: P 1:33(32) ack 61 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.936299 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: . ack 33 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.936416 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: F 61:61(0) ack 33 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.936578 IP 192.168.1.2.sunrpc > 192.168.1.7.52555: F 33:33(0) ack 62 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.936624 IP 192.168.1.7.52555 > 192.168.1.2.sunrpc: . ack 34 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.936696 IP 192.168.1.7.0 > 192.168.1.2.2049: 0 proc-822083584
10:51:46.936827 IP 192.168.1.2.2049 > 192.168.1.7.0: reply ok 0 proc-822083584
10:51:46.936862 IP 192.168.1.7.50476 > 192.168.1.2.nfs: . ack 267188051 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.936977 IP 192.168.1.7.1144775712 > 192.168.1.2.2049: 44 null
10:51:46.937104 IP 192.168.1.2.nfs > 192.168.1.7.50476: . ack 44 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.937186 IP 192.168.1.2.2049 > 192.168.1.7.1144775712: reply ok 28 null
10:51:46.937206 IP 192.168.1.7.50476 > 192.168.1.2.nfs: . ack 29 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.937289 IP 192.168.1.7.50476 > 192.168.1.2.nfs: F 44:44(0) ack 29 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.937403 IP 192.168.1.2.nfs > 192.168.1.7.50476: F 29:29(0) ack 45 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.937446 IP 192.168.1.7.50476 > 192.168.1.2.nfs: . ack 30 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.937508 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: S 1174750219:1174750219(0) win 5840 <mss 1460,sackOK,timestamp 1868399 0,nop,wscale 2>
10:51:46.937620 IP 192.168.1.2.sunrpc > 192.168.1.7.59135: S 272208753:272208753(0) ack 1174750220 win 5792 <mss 1460,sackOK,timestamp 1562445142 1868399,nop,wscale 0>
10:51:46.937651 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: . ack 1 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.937732 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: P 1:61(60) ack 1 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.937859 IP 192.168.1.2.sunrpc > 192.168.1.7.59135: . ack 61 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.938268 IP 192.168.1.2.sunrpc > 192.168.1.7.59135: P 1:33(32) ack 61 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.938286 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: . ack 33 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.938366 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: F 61:61(0) ack 33 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.938467 IP 192.168.1.7.47444 > 192.168.1.2.13000: S 1184303366:1184303366(0) win 5840 <mss 1460,sackOK,timestamp 1868399 0,nop,wscale 2>
10:51:46.938529 IP 192.168.1.2.sunrpc > 192.168.1.7.59135: F 33:33(0) ack 62 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.938564 IP 192.168.1.7.59135 > 192.168.1.2.sunrpc: . ack 34 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.938610 IP 192.168.1.2.13000 > 192.168.1.7.47444: S 266106598:266106598(0) ack 1184303367 win 5792 <mss 1460,sackOK,timestamp 1562445142 1868399,nop,wscale 0>
10:51:46.938635 IP 192.168.1.7.47444 > 192.168.1.2.13000: . ack 1 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.938730 IP 192.168.1.7.47444 > 192.168.1.2.13000: P 1:45(44) ack 1 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.938859 IP 192.168.1.2.13000 > 192.168.1.7.47444: . ack 45 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.939022 IP 192.168.1.2.13000 > 192.168.1.7.47444: P 1:29(28) ack 45 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.939040 IP 192.168.1.7.47444 > 192.168.1.2.13000: . ack 29 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.939119 IP 192.168.1.7.47444 > 192.168.1.2.13000: F 45:45(0) ack 29 win 1460 <nop,nop,timestamp 1868399 1562445142>
10:51:46.939264 IP 192.168.1.2.13000 > 192.168.1.7.47444: F 29:29(0) ack 46 win 5792 <nop,nop,timestamp 1562445142 1868399>
10:51:46.939310 IP 192.168.1.7.47444 > 192.168.1.2.13000: . ack 30 win 1460 <nop,nop,timestamp 1868400 1562445142>
10:51:46.939456 IP 192.168.1.7.841 > 192.168.1.2.13000: S 1180637782:1180637782(0) win 5840 <mss 1460,sackOK,timestamp 1868400 0,nop,wscale 2>
10:51:46.939578 IP 192.168.1.2.13000 > 192.168.1.7.841: S 277006488:277006488(0) ack 1180637783 win 5792 <mss 1460,sackOK,timestamp 1562445142 1868400,nop,wscale 0>
10:51:46.939618 IP 192.168.1.7.841 > 192.168.1.2.13000: . ack 1 win 1460 <nop,nop,timestamp 1868400 1562445142>
10:51:46.939776 IP 192.168.1.7.841 > 192.168.1.2.13000: P 1:125(124) ack 1 win 1460 <nop,nop,timestamp 1868400 1562445142>
10:51:46.939930 IP 192.168.1.2.13000 > 192.168.1.7.841: . ack 125 win 5792 <nop,nop,timestamp 1562445142 1868400>
10:51:46.943304 IP 192.168.1.2.13000 > 192.168.1.7.841: P 1:61(60) ack 125 win 5792 <nop,nop,timestamp 1562445142 1868400>
10:51:46.943393 IP 192.168.1.7.841 > 192.168.1.2.13000: . ack 61 win 1460 <nop,nop,timestamp 1868401 1562445142>
10:51:46.945084 IP 192.168.1.7.841 > 192.168.1.2.13000: F 125:125(0) ack 61 win 1460 <nop,nop,timestamp 1868401 1562445142>
10:51:46.945285 IP 192.168.1.2.13000 > 192.168.1.7.841: F 61:61(0) ack 126 win 5792 <nop,nop,timestamp 1562445142 1868401>
10:51:46.945359 IP 192.168.1.7.841 > 192.168.1.2.13000: . ack 62 win 1460 <nop,nop,timestamp 1868401 1562445142>
10:51:47.524516 IP 192.168.1.7.0 > 192.168.1.2.2049: 0 proc-822083584
10:51:47.524690 IP 192.168.1.2.2049 > 192.168.1.7.0: reply ok 0 proc-822083584
10:51:47.524766 IP 192.168.1.7.1023 > 192.168.1.2.nfs: . ack 272042302 win 1460 <nop,nop,timestamp 1868546 1562445200>
10:51:47.525467 IP 192.168.1.7.3602751060 > 192.168.1.2.2049: 44 null
10:51:47.525613 IP 192.168.1.2.nfs > 192.168.1.7.1023: . ack 44 win 5792 <nop,nop,timestamp 1562445200 1868546>
10:51:47.525712 IP 192.168.1.2.2049 > 192.168.1.7.3602751060: reply ok 28 null
10:51:47.525739 IP 192.168.1.7.1023 > 192.168.1.2.nfs: . ack 29 win 1460 <nop,nop,timestamp 1868546 1562445201>
10:51:47.526345 IP 192.168.1.7.3619528276 > 192.168.1.2.2049: 44 null
10:51:47.526499 IP 192.168.1.2.2049 > 192.168.1.7.3619528276: reply ok 28 null
10:51:47.527054 IP 192.168.1.7.3636305492 > 192.168.1.2.2049: 116 fsinfo [|nfs]
10:51:47.527276 IP 192.168.1.2.2049 > 192.168.1.7.3636305492: reply ok 84 fsinfo [|nfs]
10:51:47.527902 IP 192.168.1.7.3653082708 > 192.168.1.2.2049: 116 getattr [|nfs]
10:51:47.528113 IP 192.168.1.2.2049 > 192.168.1.7.3653082708: reply ok 116 getattr [|nfs]
10:51:47.567347 IP 192.168.1.7.1023 > 192.168.1.2.nfs: . ack 257 win 1460 <nop,nop,timestamp 1868557 1562445201>
10:51:47.894543 IP 192.168.1.7.3669859924 > 192.168.1.2.2049: 96 access [|nfs]
10:51:47.894826 IP 192.168.1.2.2049 > 192.168.1.7.3669859924: reply ok 124 access [|nfs]
10:51:47.894900 IP 192.168.1.7.1023 > 192.168.1.2.nfs: . ack 381 win 1460 <nop,nop,timestamp 1868638 1562445237>
10:51:47.895621 IP 192.168.1.7.3686637140 > 192.168.1.2.2049: 108 lookup [|nfs]
10:51:47.895838 IP 192.168.1.2.2049 > 192.168.1.7.3686637140: reply ok 120 lookup [|nfs]
10:51:47.935379 IP 192.168.1.7.1023 > 192.168.1.2.nfs: . ack 501 win 1460 <nop,nop,timestamp 1868649 1562445238>

70 packets captured
140 packets received by filter
0 packets dropped by kernel

２つを比較するとiiyameでフィルタリングしているとetower(192.168.1.7)からiiyama(192.168.1.2)のポート2049へリクエストのあと、iiyama(192.168.1.2)のポート2049からetower(192.168.1.7)へ応答がありません。
10:51:46.936696 IP 192.168.1.7.0 > 192.168.1.2.2049: 0 proc-822083584
10:51:46.936827 IP 192.168.1.2.2049 > 192.168.1.7.0: reply ok 0 proc-822083584

フィルタリングルールでポート2049のINPUT,OUTPUTは許可しているんですがこれではダメなんでしょうか?
ご助言お願いします。
vine-users ML アーカイブ

[vine-users:075489] Vine4.0で NFS接続する場合のフィル タリング

[vine-users:075489] Vine4.0で NFS接続する場合のフィルタリング
