Firewall and RPC Setup for NFS
Jonathan Ryshpan
jonrysh at pacbell.net
Sat Mar 28 20:44:40 UTC 2009
On Fri, 2009-03-27 at 21:22 +0000, Sharpe, Sam J wrote:
> 2009/3/27 Jonathan Ryshpan <jonrysh at pacbell.net>:
> > Setting up to use NFS I've found that RPC doesn't work; it's blocked by
> > the firewall. I surmise that RPC is one of the services listed in
> > System->Administration->Firewall under the "Trusted Services" tab. But
> > which one? If my surmise is not correct, how do I enable RPC service
> > without turning off the firewall?
>
> It's not in that list, but it's port 111 udp/tcp:
>
> [sam at machine ~]$ cat /etc/services | grep portmapper
> sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
> sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
>
> If you're firewalling NFS, you might want to also look at locking
> services to particular ports and opening them on your firewall:
> [sam at machine ~]$ sudo cat /etc/sysconfig/nfs
> MOUNTD_PORT=4001
> LOCKD_TCPPORT=4002
> LOCKD_UDPPORT=4003
> STATD_PORT=4004
> RQUOTAD_PORT=4005
>
> Otherwise, the assignment of ports for RPC services is random, which
> creates a slight firewall issue...
You are exactly right on both counts. Port 111/tcp and 111/udp have to
be opened to allow sunrpc to work. Moreover nfs and its friends must be
set to fixed ports and these ports opened for nfs to work. I have used
different ports from the ones you recommend, since there may be some
conflicts between them and the standard port assignments.
My port assignments are:
LOCKD_TCPPORT=890
LOCKD_UDPPORT=890
MOUNTD_PORT=891
STATD_PORT=892
RQUOTAD_PORT=893
I assume that all these are TCP ports except LOCKD_UDPPORT.
BTW: Would it be a good idea to close port 111, since sunrpc has been
reported as a security problem? See:
http://www.iss.net/security_center/advice/Services/SunRPC/default.htm
Or is sunrpc needed for other functions of nfs?
This is one of the **least** well documented aspects of Linux system
administration, and causes particular trouble to people who, like me,
use networking only once every 3 years or so, when they set up a new
system and have to transfer their files to it. This is particularly
true since the System->Administration->Firewall has a tab that purports
to control access to NFS4.
Thanks very much - jon
More information about the fedora-list
mailing list