NFS-server and firewall

Christopher K. Johnson ckjohnson at gwi.net
Sun Aug 15 16:13:53 UTC 2004 

Andrew Dietz wrote:

>I have explored the same issue in the past and came across the
>same URL that Scot posted. I have since modified that document to
>work specifically with RedHat/Fedora distributions. Should make
>for a pretty painless implementation.
>
>http://maverick.library.gatech.edu/docs/nfs_firewall.html
>
>Andrew
>
>
>  
>
If you use iptables in a stateful fashion, the outgoing statd port need 
not be opened up in iptables.  Input packets are permitted as 
"established".  Thus if you change the statd outbound port to 4004 a 
more efficient iptables rule can permit the necessary inbound ports 
without permitting an unnecessary one.  Please consider revising your 
web page accordingly.

Additions to iptables:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Permit NFS access
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4000:4003 -j ACCEPT

/etc/sysconfig/nfs:
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by original Fedora Core 2 init scripts.
 
# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=
 
STATD_PORT=4000
STATD_OUTGOING_PORT=4004
 
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
 
MOUNTD_PORT=4002
 
#Also see /etc/services to set rpc.rquotad port to 4003
# rquotad               4003/tcp                # Fix a port for rpc.rquotad
# rquotad               4003/udp                # Fix a port for rpc.rquotad

And the actual additions to the end of /etc/services (as documented by 
comments in nfs above):
# Local services
rquotad         4003/tcp                        # Fix a port for rpc.rquotad
rquotad         4003/udp                        # Fix a port for rpc.rquotad

-- 
-----------------------------------------------------------
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #807000448202021

More information about the fedora-list mailing list