Sorry we lost some posts because of database errors!

*New 12.1 series Release:
2020-09-01: XigmaNAS 12.1.0.4.7728 - released

*New 11.4 series Release:
2020-08-27: XigmaNAS 11.4.0.4.7718 - released!


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

External source attempting to access my NFS share

Network filesystems.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
jamaroney
Advanced User
Advanced User
Posts: 249
Joined: 13 Aug 2012 17:32
Location: Stroudsburg, PA
Status: Offline

External source attempting to access my NFS share

#1

Post by jamaroney »

For many months I have gotten the following log message every 3-4 days:

mountd: mount request denied from 35.187.98.101 for /mnt/NAS (each time the IP address is different)

It would seem that external sources are attempting (unsuccessfully) to access my NFS share. Is that a correct interpretation?

Have any of you experienced this? Is there a way to prevent an outside source from even initiating such an attempt?

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4962
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: External source attempting to access my NFS share

#2

Post by raulfg3 »

close Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server. on your router.
12.1.0.4 - Ingva (revision 7743) on SUPERMICRO X8SIL-F 8GB of ECC RAM, 11x3TB disk in 1 vdev = Vpool = 32TB Raw size , so 29TB usable size (I Have other NAS as Backup)

Wiki
Last changes

HP T510

jamaroney
Advanced User
Advanced User
Posts: 249
Joined: 13 Aug 2012 17:32
Location: Stroudsburg, PA
Status: Offline

Re: External source attempting to access my NFS share

#3

Post by jamaroney »

raulfg3 wrote:
28 Apr 2020 18:12
close Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server. on your router.
I have a router running DD-WRT, so I assume I would use iptables commands.

Would I close these ports for ALL users?

cookiemonster
Advanced User
Advanced User
Posts: 272
Joined: 23 Mar 2014 02:58
Location: UK
Status: Offline

Re: External source attempting to access my NFS share

#4

Post by cookiemonster »

I'm curious with this one. If those ports needed to be closed at the router, then it means they are open there in the first place. The router is doing NAT for your NAS I assume. Therefore they would not be open by default.
Did you open them before?
Main: Xigmanas 11.2.0.4 x64-full-RootOnZFS as ESXi VM with 24GB memory.
Main Host: Supermicro X8DT3 Memory: 72GB ECC; 2 Xeon E5645 CPUs; Storage: (HBA) - LSI SAS 9211-4i with 3 SATA x 1 TB in raidZ1, 1 x 3 TB SAS drive as single stripe, 3 x 4 TB SAS drives in raidZ1.
Spare1: HP DL360 G7; 6 GB ECC RAM; 1 Xeon CPU; 5 x 500 GB disks on H210i
Backup1: HP DL380 G7; 24 GB ECC RAM; 2 Xeon E5645 CPUs; 8 x 500 GB disks on IBM M1015 flashed to LSI9211-IT

jamaroney
Advanced User
Advanced User
Posts: 249
Joined: 13 Aug 2012 17:32
Location: Stroudsburg, PA
Status: Offline

Re: External source attempting to access my NFS share

#5

Post by jamaroney »

cookiemonster wrote:
28 Apr 2020 21:49
I'm curious with this one. If those ports needed to be closed at the router, then it means they are open there in the first place. The router is doing NAT for your NAS I assume. Therefore they would not be open by default.
Did you open them before?
REVISED
My router ports are fine (closed).

But my XNAS runs though a VPN (the rest of my home network doesn't). When I check ports 111 and 2049 through the VPN address (via sites like www.yougetsignal.com), they are supposedly open.

Is there some way I can close them to external sources? Would I use XNAS ipfw rules? If so, any guidelines would be appreciated.
Last edited by jamaroney on 29 Apr 2020 14:05, edited 1 time in total.

cookiemonster
Advanced User
Advanced User
Posts: 272
Joined: 23 Mar 2014 02:58
Location: UK
Status: Offline

Re: External source attempting to access my NFS share

#6

Post by cookiemonster »

It makes sense now. I'm on 11.3 and I can see in the GUI. Network > Firewall.
Wouldn't be possible to enable and add the rule? My guess is that is a front end to the XN firewall but I don't know which one it uses when enabled there. I think that will acomplish what you want.
Main: Xigmanas 11.2.0.4 x64-full-RootOnZFS as ESXi VM with 24GB memory.
Main Host: Supermicro X8DT3 Memory: 72GB ECC; 2 Xeon E5645 CPUs; Storage: (HBA) - LSI SAS 9211-4i with 3 SATA x 1 TB in raidZ1, 1 x 3 TB SAS drive as single stripe, 3 x 4 TB SAS drives in raidZ1.
Spare1: HP DL360 G7; 6 GB ECC RAM; 1 Xeon CPU; 5 x 500 GB disks on H210i
Backup1: HP DL380 G7; 24 GB ECC RAM; 2 Xeon E5645 CPUs; 8 x 500 GB disks on IBM M1015 flashed to LSI9211-IT

cookiemonster
Advanced User
Advanced User
Posts: 272
Joined: 23 Mar 2014 02:58
Location: UK
Status: Offline

Re: External source attempting to access my NFS share

#7

Post by cookiemonster »

I just looked around and in /etc/ there is an rc.firewall script.
It seems to be for ipfw indeed.
Main: Xigmanas 11.2.0.4 x64-full-RootOnZFS as ESXi VM with 24GB memory.
Main Host: Supermicro X8DT3 Memory: 72GB ECC; 2 Xeon E5645 CPUs; Storage: (HBA) - LSI SAS 9211-4i with 3 SATA x 1 TB in raidZ1, 1 x 3 TB SAS drive as single stripe, 3 x 4 TB SAS drives in raidZ1.
Spare1: HP DL360 G7; 6 GB ECC RAM; 1 Xeon CPU; 5 x 500 GB disks on H210i
Backup1: HP DL380 G7; 24 GB ECC RAM; 2 Xeon E5645 CPUs; 8 x 500 GB disks on IBM M1015 flashed to LSI9211-IT

jamaroney
Advanced User
Advanced User
Posts: 249
Joined: 13 Aug 2012 17:32
Location: Stroudsburg, PA
Status: Offline

Re: External source attempting to access my NFS share

#8

Post by jamaroney »

In lieu of the firewall GUI, I've been using a firewall script for quite some time, and was hoping to add just a few lines to block ports 111 and 2049 from external sources (which would always be coming through my VPN via tun0):

ipfw -q add 00111 deny ip from any to any 111 via tun0
ipfw -q add 00118 deny ip from any to any 2049 via tun0

These additions must be working to some degree - if I eliminate the "via tun0" from both lines, then, as expected, I can't access my NFS share at all. But with the addition of "via tun0" I then have local access.

But, in either scenario, port checkers on the web still report that both ports are open (but only through the VPN address).

Is there something I'm missing?

jamaroney
Advanced User
Advanced User
Posts: 249
Joined: 13 Aug 2012 17:32
Location: Stroudsburg, PA
Status: Offline

Re: External source attempting to access my NFS share

#9

Post by jamaroney »

Finally figured out the problem. The numbers for those rules were too high. I made them much lower - almost first on the list - and all is now OK.

Hopefully, that will address the issue of unwanted external sources trying to access my NFS share.

Post Reply

Return to “NFS”