[rhelv6-list] NFS and iptables

Thu Mar 1 17:46:50 UTC 2012

Thanks a lot for your quick reply and the links therein.
Actually I did find (and read) those references before, but this introductory page
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html#s1-nfs-how
contains a statement like:
"NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, ..."
which made me wonder whether the steps treating the ports dynamically assigned by rpcbind might not be relevant if only NFS4 is in use.

Oliver

================================================
  PD Dr. Oliver H. Weiergräber
  Institute of Complex Systems
  ICS-6: Structural Biochemistry
  Tel.: +49 2461 61-2028
  Fax: +49 2461 61-1448
================================================

________________________________________
From: rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On Behalf Of thomas at redhat.com [thomas at redhat.com]
Sent: Thursday, March 01, 2012 5:48 PM
To: rhelv6-list at redhat.com
Subject: Re: [rhelv6-list] NFS and iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2012 10:39 AM, "Weiergräber, Oliver H." wrote:
> Hello,
>
> I am currently working through setting up NFS with RHEL 6, trying
> to arrange with iptables (and SElinux) which, admittedly, I used to
> disable in the past.

I am really glad to hear that you're using SELinux, this is great news.

You probably want to take a peek at, e.g.
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html
and
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html

> Am I right thinking that when using NFS4, the one and only thing to
> do is open port 2049 in iptables?

Take a look at
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Securing_NFS.html.

> Redhat documentation is somwhat unclear with respect to port
> requirements: In all examples they recommend to fix and open
> several ports assigned by rpcbind, but nfs4 is said to not require
> rpcbind at all!

I don't know, there's a whole chapter on it at
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html

Specifically
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-nfs-firewall-config.html
talks about doing what you want.

Hope this is helpful!
- --
Thomas Cameron, RHCA, RHCSS, RHCDS, RHCVA, RHCX
Chief Architect, Canada and Central US
512-241-0774 office / 512-585-5631 cell
http://people.redhat.com/tcameron/
IRC: choirboy / AIM: rhelguy / Yahoo: rhce_guy /Google+
http://ongpl.us/tdc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9PqGcACgkQmzle50YHwaBvAwCfatk0QmjjRF/LItyznCuZkwpT
1yYAnRUqijFuMU0VdM158zitwWps6Y/c
=U8qF
-----END PGP SIGNATURE-----

_______________________________________________
rhelv6-list mailing list
rhelv6-list at redhat.com
https://www.redhat.com/mailman/listinfo/rhelv6-list

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

Kennen Sie schon unsere app? http://www.fz-juelich.de/app