Firewall problems with NFS
John Summerfield
debian at herakles.homelinux.org
Fri Nov 16 01:35:49 UTC 2007
Bill Davidsen wrote:
> Bill Davidsen wrote:
>> I have a firewall problem with running an NFS server on FC6 or FC8,
>> due to the GUI configuration interface not opening the firewall when I
>> check the NFS protocol support. It seems to only allow use as an NFS
>> client, since that worked fine when I tested it.
>>
>> I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but
>> mixing GUI administration and manual administration is undesirable to
>> prevent unexpected behavior, conflicts, etc, in the future. Is there
>> really no way to open the ports for NFS server other than by hand?
>>
> Since there were a few people flailing at a helpful answer, let me pass
> on some additional informations:
>
> 1 - pinning ports. Not needed. The standard tool seems to cope just
> fine, if only you can get the fixed ports visible.
>
> 2 - Need another firewall tool. No and yes... No, you really don't to
> open the ports, Yes you do if you want to specify which machines get
> access to the port. The export file or exportfs command limit which
> machines will be allowed to use NFS once they see the port. If you
> export to a reasonable subset of IP addresses most discussion I found
> indicates that you are probably safe from access to data, usual DOS
> attacks could be an issue.
>
> So what's the scoop? See here:
> transport ports
> UDP 2049, 111, 709, 706
> TCP 2049, 111, 709
>
> Note that this was tested with a sniffer and a number of various
> machines and operating systems, seems to work with all of them. U was
> surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as
> fast as UDP, driving 449.1Mbit over gigE connection.
_I_ found the ports were moving; I used tcpdump to see it. It was _not_
using any 7xx ports. lockd (in the kernel) _was_ using a 327xx port.
111 is used by portmapper, which maps "program names" to port numbers.
The port numbers actually used can vary.
See these, both are using nahant-clone:
10:29 [summer at numbat ~]$ rpcinfo -p 192.168.9.4
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 765 status
100024 1 tcp 768 status
100011 1 udp 825 rquotad
100011 2 udp 825 rquotad
100011 1 tcp 828 rquotad
100011 2 tcp 828 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 32771 nlockmgr
100021 3 udp 32771 nlockmgr
100021 4 udp 32771 nlockmgr
100021 1 tcp 32768 nlockmgr
100021 3 tcp 32768 nlockmgr
100021 4 tcp 32768 nlockmgr
100005 1 udp 841 mountd
100005 1 tcp 844 mountd
100005 2 udp 841 mountd
100005 2 tcp 844 mountd
100005 3 udp 841 mountd
100005 3 tcp 844 mountd
10:30 [summer at numbat ~]$ rpcinfo -p cdm
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 602 status
100024 1 tcp 605 status
100011 1 udp 621 rquotad
100011 2 udp 621 rquotad
100011 1 tcp 621 rquotad
100011 2 tcp 621 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 32788 nlockmgr
100021 3 udp 32788 nlockmgr
100021 4 udp 32788 nlockmgr
100021 1 tcp 32768 nlockmgr
100021 3 tcp 32768 nlockmgr
100021 4 tcp 32768 nlockmgr
100005 1 udp 640 mountd
100005 1 tcp 640 mountd
100005 2 udp 640 mountd
100005 2 tcp 640 mountd
100005 3 udp 640 mountd
100005 3 tcp 640 mountd
10:30 [summer at numbat ~]$
Everything but portmapper and nfs is different. A debian system I have
is different again.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list