From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020606 Description of problem: Since, when trying to mount an nfs share, the mountd daemon on the server chooses a random udp port number which the client needs to allow access to, the default ipchains configuration in lokkit prevents the user from mounting nfs shares. A simple solution would be to allow lokkit to select nfs servers, and open up those udp ports from that server. This is a lot less a security risk than the consensus I read in mailing list archives and on newsgroups, which tells people to turn ipchains off completely for mounting nfs shares. I added to /etc/sysconfig/ipchains the following line -A input -s 192.168.1.3 -d 0/0 0:1023 -p udp -j ACCEPT right before this line put in by lokkit : -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT This allows my machine to mount nfs shares served by the server at 192.168.1.3. I suspect adding this to lokkit should be very simple, hopefully it'll be doable before the next (7.4/8.0) release ;) Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. run lokkit and set up a default firewall 2. activate ipchains (service ipchains start) 3. try to mount an nfs share Actual Results: got an RPC: Timed out error after some time Expected Results: it should work Additional info: This is an enhancement proposal to lokkit. Adding the option of selecting known nfs servers and punching them through the firewall rules would be a good feature as this seems to confuse a whole lot of people out there.
Not an ipchains issue. Reassigning to gnome-lokkit
Won't be done for this release; we really aren't in a position to change th UI at this point. *** This bug has been marked as a duplicate of 52110 ***
Hm, can I get some more feedback on this ? You marked this bug as a duplicate of another bug, which was filed "not doable". First of all, I think it's very much doable, as I just proposed. Second, judging from the amount of posts on it on dejanews and other places, it's a very real issue, which is getting "fixed" by turning off iptables. Third, I can understand that it might be too late to change the UI (even though the impact is minimal) for the next release, but AT LEAST consider it for the release after that. People will thank you ;)
Hm, OK.