NFS through firewall

James Pifer jep at obrien-pifer.com
Fri Nov 18 17:09:28 UTC 2005 

> Besides the firewall, other things to check for are tcp wrappers
> (/etc/hosts.allow/deny - I once pulled hair over this one), and permisions
> of the partitions exported by the NFS server. 
> 
> On the client do a 
> 
> /usr/sbin/showmount -e nfs.server.com
> 
> Whenever you modify something on the nfs server, run 
> 
> exportfs -r
> 
> or restart the nfs server (better, because it restarts the rpc services
> too).
> 
> 
> Also, you're not root on the client when you're trying to access the
> exports, are you? By default, the nfs server does not treat a remote root
> user as its own root user, for the obvious reasons. So if you're root on
> the client and try to access an exported partition that belongs to, say,
> joe/users, you'll get an error.
> 
> 
> Also, the nfs server need not give unrestricted access to a client to
> access nfs. The problem with nfs and firewall is that the rpc services run
> on random ports, so the firewall would have to open the same (random)
> ports to allow access to nfs. Fortunately, nfsd can be configured so that
> the rpc services run on fixed ports, like so:
> 
> On the nfs server:
> 
> cat /etc/sysconfig/nfs
> STATD_PORT=4000
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> RQUOTAD_PORT=4003
> 
> Still on the nfs server, in /etc/sysconfig/iptables put these rules:
> 
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4000:4003 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT
> 
> These will allow anything to access the nfs/rpc ports. To allow a
> only single machine, add its address to these rules.
> 
> 

Yes, I am root on the client. I do this all the time with my other
fedora boxes. For that matter, to use mount I have to be root. I don't
understand this part.

I will try to set fixed ports and see if that helps. 

Thanks,
James

More information about the fedora-list mailing list