NFS through firewall
James Pifer
jep at obrien-pifer.com
Fri Nov 18 17:09:28 UTC 2005
> Besides the firewall, other things to check for are tcp wrappers
> (/etc/hosts.allow/deny - I once pulled hair over this one), and permisions
> of the partitions exported by the NFS server.
>
> On the client do a
>
> /usr/sbin/showmount -e nfs.server.com
>
> Whenever you modify something on the nfs server, run
>
> exportfs -r
>
> or restart the nfs server (better, because it restarts the rpc services
> too).
>
>
> Also, you're not root on the client when you're trying to access the
> exports, are you? By default, the nfs server does not treat a remote root
> user as its own root user, for the obvious reasons. So if you're root on
> the client and try to access an exported partition that belongs to, say,
> joe/users, you'll get an error.
>
>
> Also, the nfs server need not give unrestricted access to a client to
> access nfs. The problem with nfs and firewall is that the rpc services run
> on random ports, so the firewall would have to open the same (random)
> ports to allow access to nfs. Fortunately, nfsd can be configured so that
> the rpc services run on fixed ports, like so:
>
> On the nfs server:
>
> cat /etc/sysconfig/nfs
> STATD_PORT=4000
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> RQUOTAD_PORT=4003
>
> Still on the nfs server, in /etc/sysconfig/iptables put these rules:
>
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4000:4003 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4003 -j ACCEPT
>
> These will allow anything to access the nfs/rpc ports. To allow a
> only single machine, add its address to these rules.
>
>
Yes, I am root on the client. I do this all the time with my other
fedora boxes. For that matter, to use mount I have to be root. I don't
understand this part.
I will try to set fixed ports and see if that helps.
Thanks,
James
More information about the fedora-list
mailing list