Firewall problems with NFS
Bill Davidsen
davidsen at tmr.com
Thu Nov 15 14:57:31 UTC 2007
Dr. Michael J. Chudobiak wrote:
> Bill Davidsen wrote:
>> I have a firewall problem with running an NFS server on FC6 or FC8,
>> due to the GUI configuration interface not opening the firewall when I
>> check the NFS protocol support. It seems to only allow use as an NFS
>> client, since that worked fine when I tested it.
>>
>> I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but
>> mixing GUI administration and manual administration is undesirable to
>> prevent unexpected behavior, conflicts, etc, in the future. Is there
>> really no way to open the ports for NFS server other than by hand?
>
> Opening NFS servers is tricky - the default GUI is too simple to do it
> well.
>
> You'll probably need to:
>
> 1) Learn about port "pinning" for NFS (so it always uses the same ports).
Since the GUI doesn't know about this, it doesn't solve the problem of
avoiding mixing GUI and manual firewall configuration, if I have to do
any of it by hand I'll do it all by hand, I'm dubious about using the
same rules for forwarding as INPUT anyway.
>
> 2) Use a fancier GUI, like firestarter (http://www.fs-security.com/), to
> control your firewall.
As above. My preference is to do it all by hand, but it's disappointing
that the default Fedora tool doesn't work properly.
>
> NFS is insecure anyways, so you'll want to have another firewall outside
> the client network also. Do not expose the NFS server to public access.
Exports are to a very limited set of machines, and the rules I added by
hand don't allow others.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list