NFS tcp wrapper situation
Chris Adams
cmadams at hiwaay.net
Thu Jan 22 03:03:20 UTC 2009
Once upon a time, Jesse Keating <jkeating at redhat.com> said:
> On Wed, 2009-01-21 at 18:48 -0600, Chris Adams wrote:
> > That brings me back to RPC services though, which means NFS (which
> > started all of this). Some of the NFS component services have fixed
> > ports now (even though they still register with portmapper), such as
> > nfsd (2049) and rquotad (875), but I believe that mountd, lockd, and
> > statd all run on portmapper-assigned random ports. The only way to
> > control access to them is currently TCP_wrappers.
>
> However each of these do allow you to set a specific port they'll run
> on, so that you /can/ use iptables with them. I've been running them
> that way for years.
I saw that, but I haven't tried it myself. I guess they still register
with portmapper (i.e. portmapper allows a program to require a specific
port; I haven't done RPC programming in at least 10 years), since that
appears to be how nfsd and rquotad work.
It looks like the init scripts already support setting this (including
for the kernel lockd using sysctl).
Is there a reason to not go ahead and do that for Fedora 11? That would
make recommending iptables instead of tcp_wrappers a lot easier.
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the fedora-devel-list
mailing list