NFS-server and firewall
Christopher K. Johnson
ckjohnson at gwi.net
Sun Aug 15 16:13:53 UTC 2004
Andrew Dietz wrote:
>I have explored the same issue in the past and came across the
>same URL that Scot posted. I have since modified that document to
>work specifically with RedHat/Fedora distributions. Should make
>for a pretty painless implementation.
>
>http://maverick.library.gatech.edu/docs/nfs_firewall.html
>
>Andrew
>
>
>
>
If you use iptables in a stateful fashion, the outgoing statd port need
not be opened up in iptables. Input packets are permitted as
"established". Thus if you change the statd outbound port to 4004 a
more efficient iptables rule can permit the necessary inbound ports
without permitting an unnecessary one. Please consider revising your
web page accordingly.
Additions to iptables:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Permit NFS access
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4000:4003 -j ACCEPT
/etc/sysconfig/nfs:
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by original Fedora Core 2 init scripts.
# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=
STATD_PORT=4000
STATD_OUTGOING_PORT=4004
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
#Also see /etc/services to set rpc.rquotad port to 4003
# rquotad 4003/tcp # Fix a port for rpc.rquotad
# rquotad 4003/udp # Fix a port for rpc.rquotad
And the actual additions to the end of /etc/services (as documented by
comments in nfs above):
# Local services
rquotad 4003/tcp # Fix a port for rpc.rquotad
rquotad 4003/udp # Fix a port for rpc.rquotad
--
-----------------------------------------------------------
"Spend less! Do more! Go Open Source..." -- Dirigo.net
Chris Johnson, RHCE #807000448202021
More information about the fedora-list
mailing list