NFS with firewall
jludwig
wralphie at comcast.net
Sat May 8 02:32:13 UTC 2004
On Fri, 2004-05-07 at 21:35, Stuart Lowe wrote:
> Hello,
>
> I want to tie down NFS ports so I can put up a firewall.
>
> In particular, I'm looking at statd. I noticed from the man pages that
> statd can take a "-p" and a "-o" option for setting ports. The startup
> script /etc/rc.d/init.d/nfslock appears to be trying to take this into
> consideration.
>
> If I start NFS using the bare-bones startup scripts that came with FC1,
> I notice that when I do an rcpinfo -p I get something like:
>
> 100024 1 udp 32768 status
> 100024 1 tcp 32770 status
>
>
> If I make a file /etc/sysconfig/nfs (this is referenced in
> /etc/rc.d/init.d/nfslock but did not exist) and put the following lines
> in it:
>
> STATD_PORT=32765
> STATD_OUTGOING_PORT=32766
>
> then after restarting my machine rcpinfo -p gives:
>
> 100024 1 udp 32765 status
> 100024 1 tcp 32765 status
>
> It appears that if I attempt to specify ports, STATD_OUTGOING_PORT gets
> "ignored".
>
> I'm concentrating on statd here as an example, but my concerns all
> relate to the general question of "What is the best way to tie down NFS
> ports?" I've seen a lot of stuff on this such as defining ports in
> /etc/services, directly hard-coding ports in the startup scripts, and
> I've tried numerous combinations. So far, the only thing that seems to
> work with consistency for me is using /etc/modules.conf to tie down the
> lockd ports.
>
> Any ideas on this would be greatly appreciated.
>
> Regards,
>
> Stu.
Try http://www.linuxguruz.com/iptables/
--
jludwig <wralphie at comcast.net>
More information about the fedora-list
mailing list