[rhelv6-list] NFS and iptables

thomas at redhat.com thomas at redhat.com
Thu Mar 1 18:39:12 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ah, sorry, I misunderstood.

Yes, if you're using only nfs4, all you need is 2049, none of the
other stuff is needed.

Sorry for the confusion.

On 03/01/2012 11:46 AM, "Weiergräber, Oliver H." wrote:
> Thanks a lot for your quick reply and the links therein. Actually I
> did find (and read) those references before, but this introductory
> page 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html#s1-nfs-how
>
> 
contains a statement like:
> "NFS version 4 (NFSv4) works through firewalls and on the Internet,
> no longer requires an rpcbind service, ..." which made me wonder
> whether the steps treating the ports dynamically assigned by
> rpcbind might not be relevant if only NFS4 is in use.
> 
> Oliver
> 
> ================================================ PD Dr. Oliver H.
> Weiergräber Institute of Complex Systems ICS-6: Structural
> Biochemistry Tel.: +49 2461 61-2028 Fax: +49 2461 61-1448 
> ================================================
> 
> 
> 
> 
> ________________________________________ From:
> rhelv6-list-bounces at redhat.com [rhelv6-list-bounces at redhat.com] On
> Behalf Of thomas at redhat.com [thomas at redhat.com] Sent: Thursday,
> March 01, 2012 5:48 PM To: rhelv6-list at redhat.com Subject: Re:
> [rhelv6-list] NFS and iptables
> 
> On 03/01/2012 10:39 AM, "Weiergräber, Oliver H." wrote:
>> Hello,
> 
>> I am currently working through setting up NFS with RHEL 6,
>> trying to arrange with iptables (and SElinux) which, admittedly,
>> I used to disable in the past.
> 
> I am really glad to hear that you're using SELinux, this is great
> news.
> 
> You probably want to take a peek at, e.g. 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html
>
> 
and
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html
>
> 
> 
>> Am I right thinking that when using NFS4, the one and only thing
>> to do is open port 2049 in iptables?
> 
> Take a look at 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Securing_NFS.html.
>
> 
>> Redhat documentation is somwhat unclear with respect to port 
>> requirements: In all examples they recommend to fix and open 
>> several ports assigned by rpcbind, but nfs4 is said to not
>> require rpcbind at all!
> 
> I don't know, there's a whole chapter on it at 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html
>
>  Specifically 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-nfs-firewall-config.html
>
> 
talks about doing what you want.
> 
> Hope this is helpful!
> 
> _______________________________________________ rhelv6-list mailing
> list rhelv6-list at redhat.com 
> https://www.redhat.com/mailman/listinfo/rhelv6-list
> 
> -------------------------------------------------------------------------------
>
> 
-
-------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft:
> Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr.
> HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen
> Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem
> (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof.
> Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt 
> -------------------------------------------------------------------------------
>
> 
-
-------------------------------------------------------------------------------
> 
> Kennen Sie schon unsere app? http://www.fz-juelich.de/app
> 
> _______________________________________________ rhelv6-list mailing
> list rhelv6-list at redhat.com 
> https://www.redhat.com/mailman/listinfo/rhelv6-list

- -- 
Thomas Cameron, RHCA, RHCSS, RHCDS, RHCVA, RHCX
Chief Architect, Canada and Central US
512-241-0774 office / 512-585-5631 cell
http://people.redhat.com/tcameron/
IRC: choirboy / AIM: rhelguy / Yahoo: rhce_guy /Google+
http://ongpl.us/tdc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9PwlAACgkQmzle50YHwaCNFQCgwAIg3q1YGjBX0D7Wg2mMSZFm
gFMAoKmc2721+RfEmyV+IMc8PD9k4+pi
=hKd0
-----END PGP SIGNATURE-----

More information about the rhelv6-list mailing list