[ adding the list back to Cc ]
On Thu, 2007-11-22 at 14:28 +0100, Marcus Rueckert wrote:
On 2007-11-22 13:31:59 +0100, Karsten Bräckelmann wrote:
And impossible for SuSE out-of-the-box, given their braindead [1] init scripts.
what is so braindead about it?
See these posts, the second one in particular. Also, my original Shorewall rules and documentation might be interesting. http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg03986.h... http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg03985.h...
Please note that the initial reason for the above pinning down NFS ports is firewall-friendly behavior and sane rules. With NFS, most involved services use random ports by default, particularly statd, lockd, mountd, rquotad. Which leads to somewhat unsatisfying rules as shown in [1].
The init script shipped by SuSE offers no way whatsoever to pass rpc.statd options, even though it does for rpc.mountd -- and thus no way to pin down the port out-of-the-box short of hacking the init script.
Marcus, please feel free to keep me posted on this issue and a fix. I'll happily forward updates to the Shorewall lists.
guenther
[1] http://shorewall.net/ports.htm#NFS
-- char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}