nfs issue...

Pete Nesbitt pete at linux1.ca
Fri Jul 2 19:32:41 UTC 2004 

On July 2, 2004 12:18 pm, bruce wrote:
> pete....
>
> ok.. it looks like i have it working for now...
>
> but it appears that i'm going to have to make some changes to the
> /etc/rc.d/init.d/nfs script. it appears that the associated processes for
> nfs have ports that need to be accounted for in the iptables.
>
> in particular the processes statd, mountd, quotad....
>
> the iptables that i created for the nfs server is below...
>
> i'm going to need to know how to modify the nfs script to lock the ports
> for the processes down, as these processes apparently use random ports...
> but i'm not sure how to make the changes to the nfs script...
>
>
> currently used iptable for nfs server...
> # Firewall configuration written by lokkit
> # Manual customization of this file is not recommended.
> # Note: ifup-post will punch the current nameservers through the
> #       firewall; such entries will *not* be listed here.
> *filter
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Lokkit-0-50-INPUT - [0:0]
>
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
> 67:68 -i eth1 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> ###
> ### nfs related stuff...
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 32768:32770 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 32768:32770 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT
>
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
>
>
>
> i've seen the following docs:.
> <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
> The other daemons, statd, mountd, lockd, and rquotad, will normally move
> around to the first available port they are informed of by the portmapper.
>
> To force statd to bind to a particular port, use the -p portnum option. To
> force statd to respond on a particular port, additionally use the -o
> portnum option when starting it.
>
> (ok... but how do i find the process that starts the statd process. is this
> the /etc/rc.d/init.d/nfs script?????? )
>
> To force mountd to bind to a particular port use the -p portnum option.
>
> For example, to have statd broadcast of port 32765 and listen on port
> 32766, and mountd listen on port 32767, you would type:
>
> # statd -p 32765 -o 32766
> # mountd -p 32767
>
>
> lockd is started by the kernel when it is needed. Therefore you need to
> pass module options (if you have it built as a module) or kernel options to
> force lockd to listen and respond only on certain ports.
>
> If you are using loadable modules and you would like to specify these
> options in your /etc/modules.conf file add a line like this to the file:
>
> options lockd nlm_udpport=32768 nlm_tcpport=32768
>
>
> The above line would specify the udp and tcp port for lockd to be 32768.
>
> If you are not using loadable modules or if you have compiled lockd into
> the kernel instead of building it as a module then you will need to pass it
> an option on the kernel boot line.
>
> It should look something like this:
>
>  vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768
>
>
> The port numbers do not have to match but it would simply add unnecessary
> confusion if they didn't.
> <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> my copy of the /etc.../nfs script doesn't have "statd"... should i add
> it??? also, how do i know if i'm using "loadable modules", or if the kernel
> had lockd compiled... and if i do need to pass the options in as boot
> parameters, where/how would i do this... what file would i have to
> edit...?????
>

Bruce,
You shouldn't have to mess with the nfs init script.

You should not need all the extra nfs entries in your iptables, but probably 
only need to add:
-A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

t this point it may also mbe worth grabbing an iptables frontend like 
firestarter ( http://firestarter.sourceforge.net ) or build your own init 
script. I know you are going to have the fw set up properly soon, but this 
seems like a strange approach (editing this file), oh well, we got this 
far...
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list