NFS with firewall

Sat May 8 02:32:13 UTC 2004

On Fri, 2004-05-07 at 21:35, Stuart Lowe wrote:
> Hello,
> 
> I want to tie down NFS ports so I can put up a firewall.
> 
> In particular, I'm looking at statd.  I noticed from the man pages that
> statd can take a "-p" and a "-o" option for setting ports.  The startup
> script /etc/rc.d/init.d/nfslock appears to be trying to take this into
> consideration.
> 
> If I start NFS using the bare-bones startup scripts that came with FC1,
> I notice that when I do an rcpinfo -p I get something like:
> 
> 100024    1   udp  32768  status
> 100024    1   tcp  32770  status
> 
> 
> If I make a file /etc/sysconfig/nfs (this is referenced in
> /etc/rc.d/init.d/nfslock but did not exist) and put the following lines
> in it:
> 
> STATD_PORT=32765
> STATD_OUTGOING_PORT=32766
> 
> then after restarting my machine rcpinfo -p gives:
> 
> 100024    1   udp  32765  status
> 100024    1   tcp  32765  status
> 
> It appears that if I attempt to specify ports, STATD_OUTGOING_PORT gets
> "ignored".  
> 
> I'm concentrating on statd here as an example, but my concerns all
> relate to the general question of "What is the best way to tie down NFS
> ports?"  I've seen a lot of stuff on this such as defining ports in
> /etc/services, directly hard-coding ports in the startup scripts, and
> I've tried numerous combinations.  So far, the only thing that seems to
> work with consistency for me is using /etc/modules.conf to tie down the
> lockd ports.
> 
> Any ideas on this would be greatly appreciated.
> 
> Regards,
> 
> Stu.
Try http://www.linuxguruz.com/iptables/
-- 
jludwig <wralphie at comcast.net>