NFS versus the firewall

Tue Jan 1 22:48:23 UTC 2008

Amadeus W.M. wrote:
> On Tue, 01 Jan 2008 18:29:52 +1030, Tim wrote:
>
>   
>> Tim:
>>     
>>>> Something has bugged me for ages about trying to use NFS between
>>>> machines on the LAN.
>>>>         
>> Charles Curley:
>>     
>>> http://www.charlescurley.com/nfs.html
>>>       
>> I'll have a bash at that a bit later, but the question still stands
>> about what's the point of the NFS checkmark in the firewall
>> configurator, if it can't actually do the trick?  They might as well
>> have named it "waste your time."
>>
>> --
>> [tim at bigblack ~]$ uname -ipr
>> 2.6.23.1-10.fc7 i686 i386
>>
>> Using FC 4, 5, 6 & 7, plus CentOS 5.  Today, it's FC7.
>>
>> Don't send private replies to my address, the mailbox is ignored. I read
>> messages from the public lists.
>>     
>
>
> The difficulty with nfs is that it uses a few auxiliary rpc services, 
> which by default get started on a random port. These random ports must be 
> open in the firewall, but because they are random, the iptables has no 
> idea what they might be. 
>
> The cure is to force these services to ALWAYS start on pre-assigned 
> ports, and open these ports in the firewall. 
>
> To this end, on the nfs server 
>
> 1) Create a file /etc/sysconfig/nfs with the following contents:
>
> RQUOTAD_PORT=4000
> LOCKD_TCPPORT=4001
> LOCKD_UDPPORT=4001
> MOUNTD_PORT=4002
> STATD_PORT=4003
>
> The nfs config file already exists, but it's full of comments. Erase 
> everything and put these lines in, or just edit the appropriate lines in 
> the existing file. You can choose any ports available, not necessarily 
> 4000-4003.
>
>
> 2) Open range 4000-4003 tcp and udp in iptables. This you can do 
> manually, but it can be done from system-config-firewall very easily and 
> intuitively.
>
> 3) Open port 111 (portmapper) and 2049 (nfs) as well.
>
> Done.
>
>
> Now, from any client (which should be running the automounter (autofs) by 
> default), you should be able to 
>
> cd /net/nfsserver/exported/partition
>
>
> I have all this up and running, and it's pretty cool to watch video that 
> resides on my main pc (nfs server) on my big hdtv, via nfs and a wireless 
> laptop that sits on top of my tv. 
>
>
>   
EXCELLENT!  This is the same thing I've been struggling with and you've 
nailed a solution for me. 

This one goes in my log book.

This naturally leads me to the next question.  What kind of a more 
"hands off" solution can be arrived at so the less technically oriented 
can configure NFS on their network.  The randomness of the ports seems 
to be a gotcha if you want to use a firewall with out customizing it.

Thanks for the solution.

~~R