nfs mounting - pam considerations

Tod Merley todbot88 at gmail.com
Sat Oct 21 21:23:45 UTC 2006


On 10/20/06, Margaret Doll <Margaret_Doll at brown.edu> wrote:
> I am finding that FC3 requires me to allow more open ports for NFS to
> work.  I have to modify iptables.  With  FC2, I did not have to do this.
>
> With iptables off, NFS mounting works on FC3.
>
> I have tcp port 111 opened now and am hunting for the additional
> ports that I need.
>
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
Hi Again Margaret Doll!

Sounds like your hunting has been very good!

I note:

# From: http://www.troubleshooters.com/linux/nfs.htm
-----------------------------------------------------------------------------------------------------
5: If there are still problems, disable firewalls or log firewalls
Many supposed NFS problems are really problems with the firewall. In
order for your NFS server to successfully serve NFS shares, its
firewall must enable the following:

ICMP Type 3 packets
Port 111, the Portmap daemon
Port 2049, NFS
The port(s) assigned to the mountd daemon
The easiest way to see whether your problem resides in the firewall is
to completely open up the client and server firewalls and anything in
between. For details on how to manipulate iptables see the May 2003
Linux Productivity Magazine.

Note that opening up firewalls is appropriate only if you're
disconnected from the Internet, or if you're in a very un-hostile
environment. Even so, you should open up the firewalls for a very
short time (less than 5 minutes). If in doubt, instead of opening the
firewalls, insert logging statements in IPTables to show what packets
are being rejected during NFS mounts, and take action to enable those
ports. For details on IPTables diagnostic logging, see the May 2003
Linux Productivity Magazine.

The mountd daemon ports are especially problematic, because they're
normally assigned by the portmap daemon, and vary from NFS restart to
NFS restart. The /etc/rc.d/init.d/nfs script can be changed to nail
down the mountd daemon to a specific port, which then enables you to
pinhole a specific port. The A Somewhat Practical Server Firewall
article in the May 2003 Linux Productivity Magazine. explains how to
do this.

If for some reason you don't want to nail down the port, your only
other alternatives are to create a firewall enabling a huge range of
ports in the 30000's, or to create a master NFS restart script which
does the following:

Use the rcpinfo program to find all ports used by mountd.
Issue iptables commands to find the rule numbers for those ports.
Issue iptables commands to delete all rules on those ports.
Restart NFS
Use the rcpinfo program to find all ports used by mountd.
Issue iptables commands to insert rules for those ports where the
rules for those ports used to be.
One technique that might make that easier is to create a user defined
chain just to hold mountd rules. In that case you'd simply empty that
chain, restart NFS, use rpcinfo to find the port numbers, and add the
proper rules using the iptables -A command.

It bears repeating that the May 2003 Linux Productivity Magazine
details how to createean NFS friendly firewall.
-------------------------------------------------------------------------
You have probably made my future life easier, thanks!

Tod




More information about the fedora-list mailing list