Firewall and RPC Setup for NFS

Sharpe, Sam J sam.sharpe+lists.redhat at gmail.com
Sun Mar 29 19:43:36 UTC 2009


2009/3/28 Jonathan Ryshpan <jonrysh at pacbell.net>:
> On Fri, 2009-03-27 at 21:22 +0000, Sharpe, Sam J wrote:
>> If you're firewalling NFS, you might want to also look at locking
>> services to particular ports and opening them on your firewall:
>> [sam at machine ~]$ sudo cat /etc/sysconfig/nfs
>> MOUNTD_PORT=4001
>> LOCKD_TCPPORT=4002
>> LOCKD_UDPPORT=4003
>> STATD_PORT=4004
>> RQUOTAD_PORT=4005
>>
>> Otherwise, the assignment of ports for RPC services is random, which
>> creates a slight firewall issue...
>
> You are exactly right on both counts.  Port 111/tcp and 111/udp have to
> be opened to allow sunrpc to work.  Moreover nfs and its friends must be
> set to fixed ports and these ports opened for nfs to work.  I have used
> different ports from the ones you recommend, since there may be some
> conflicts between them and the standard port assignments.

Those weren't really "recommendations" - they were pasted from a
production system that serves NFS across a firewall and I was assigned
the ports by the people who run the firewall - so essentially they are
random choices!

> BTW: Would it be a good idea to close port 111, since sunrpc has been
> reported as a security problem?  See:
>        http://www.iss.net/security_center/advice/Services/SunRPC/default.htm
> Or is sunrpc needed for other functions of nfs?

It depends if you want to configure all your clients with the ports
you have assigned.

What is supposed to happen is that a client talks to the server's
portmapper (sunrpc as you call it) and says "what port will I find
your mountd service on?" and then goes away to talk to use that port.
If you don't somehow (and I don't know this off the top of my head)
tell all your clients what those ports are, then certain things won't
work. NFS might be fine, but you probably won't have working quotas,
locks, or a valid list of connected clients in showmount.

Also, I don't think the service responding to port 111 on a Fedora
machine is technically sunrpc any more:
[sam at machine ~]$ rpm -qif /etc/init.d/rpcbind
Name        : rpcbind                      Relocations: (not relocatable)
Version     : 0.1.7                             Vendor: Fedora Project
Release     : 1.fc10                        Build Date: Thu 20 Nov
2008 16:59:01 GMT
<snip>
URL         : http://nfsv4.bullopensource.org
Summary     : Universal Addresses to RPC Program Number Mapper
Description :
The rpcbind utility is a server that converts RPC program numbers into
universal addresses.  It must be running on the host to be able to make
RPC calls on a server on that machine.


-- 
Sam




More information about the fedora-list mailing list