Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NFS and Cisco

From: Roelof JT Jonkman <rjt () pobox com>
Date: Mon, 21 Nov 2005 18:15:49 -0800
Hermit,

Without knowing too much details two things stand out in your note: Fragments
and drops.

That seems to suggest that there are two things happening in your network:

- Mismatched MTU's at various places. Do you have gigabit, and if you do is
  anything set to use jumbo MTU's? (Particularly servers?) As soon as you
  go down to 10/100 you're back to 1514 byte mtu's again, so you'll have
  to fragment there.
- Firewalls have a bit of an opportunistic tendency to drop ip fragments.
  (For good reason, lots of ways of evading if they were to pass ip frags
   untouched, see fragroute(r) etc.)

I would chase your 'source' of fragments first and if you can't figure that
out see if you can tweak the firewall/routers to deal a bit more politely with
frags. (However be aware if you're tweaking the firewall to be more liberal
with regard to frags you may open yourself up a bit, see aforementioned tools.)

Not to be too blunt, but why are you forced to do NFS over a firewall? There
is a myriad of security problems you potentially open up. (portmap, statd, 
lockd, potentially nasty rpc level attacks.)

                roel



I have been seeing NFS problem on my network lately, after nfs worked well fo
r years.  The major
change is that the network folks have put in a lot of new Cisco equipment.  W
hen I run tcpdump on
the nfs server and client I see client sending packets to the server, server 
getting them and
replying, but the reply packets never make it to the client.  I often see fra
gment flags on the
packets, and I started to wonder if Cisco switches or routers might have a ha
bit of dropping
fragmented packets.  When packets go through the Nokia firewall, some times p
ackets get dropped
because the port doesn't seem to be recognized as part of the nfs connection,
 and some times
packets don't get dropped at all.  Any suggestions will be welcome.

hermit921
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: