NFS versus the firewall
Richard England
rlengland at verizon.net
Tue Jan 1 22:48:23 UTC 2008
Amadeus W.M. wrote:
> On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:
>
>
>> Tim:
>>
>>>> Something has bugged me for ages about trying to use NFS between
>>>> machines on the LAN.
>>>>
>> Charles Curley:
>>
>>> http://www.charlescurley.com/nfs.html
>>>
>> I'll have a bash at that a bit later, but the question still stands
>> about what's the point of the NFS checkmark in the firewall
>> configurator, if it can't actually do the trick? They might as well
>> have named it "waste your time."
>>
>> --
>> [tim at bigblack ~]$ uname -ipr
>> 2.6.23.1-10.fc7 i686 i386
>>
>> Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
>>
>> Don't send private replies to my address, the mailbox is ignored. I read
>> messages from the public lists.
>>
>
>
> The difficulty with nfs is that it uses a few auxiliary rpc services,
> which by default get started on a random port. These random ports must be
> open in the firewall, but because they are random, the iptables has no
> idea what they might be.
>
> The cure is to force these services to ALWAYS start on pre-assigned
> ports, and open these ports in the firewall.
>
> To this end, on the nfs server
>
> 1) Create a file /etc/sysconfig/nfs with the following contents:
>
> RQUOTAD_PORT=4000
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> STATD_PORT=4003
>
> The nfs config file already exists, but it's full of comments. Erase
> everything and put these lines in, or just edit the appropriate lines in
> the existing file. You can choose any ports available, not necessarily
> 4000-4003.
>
>
> 2) Open range 4000-4003 tcp and udp in iptables. This you can do
> manually, but it can be done from system-config-firewall very easily and
> intuitively.
>
> 3) Open port 111 (portmapper) and 2049 (nfs) as well.
>
> Done.
>
>
> Now, from any client (which should be running the automounter (autofs) by
> default), you should be able to
>
> cd /net/nfsserver/exported/partition
>
>
> I have all this up and running, and it's pretty cool to watch video that
> resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless
> laptop that sits on top of my tv.
>
>
>
EXCELLENT! This is the same thing I've been struggling with and you've
nailed a solution for me.
This one goes in my log book.
This naturally leads me to the next question. What kind of a more
"hands off" solution can be arrived at so the less technically oriented
can configure NFS on their network. The randomness of the ports seems
to be a gotcha if you want to use a firewall with out customizing it.
Thanks for the solution.
~~R
More information about the fedora-list
mailing list