Configuring NFS under Linux for Firewall control

Florin Andrei florin at andrei.myip.org
Wed Dec 1 19:17:48 UTC 2004


Please have a look at this document:

http://www.lowth.com/LinWiz/nfs_help.html

It describes a method to configure the components of a Linux-based NFS
server so that NFS access can be controlled via a simple firewall that
does not "understand" NFS.
As an engineer using various firewall platforms, i often saw the need
for a similar solution, in situations when the firewalls being used
could not control complex protocols such as NFS. Sometimes the firewall
helps you and gives you a way to manage such protocols, some other times
it doesn't.

The document seems to be geared towards older Red Hat versions, but
perhaps it is still actual for recent Fedora distributions.
The techniques described require editing scripts in /etc/init.d and so
on. That it typically considered something to avoid in production
environments.

I think it would be great to add "hooks" to the init.d scripts (or
something like that) so that such a change can be made in a cleaner
fashion. Say, add stuff in /etc/sysconfig for the sysadmin to modify in
order to achieve the same effect.
For example, add some variables, containing the port numbers for the
various portmap/nfs components, in a file in /etc/sysconfig:

STATD_PORT="4000"
LOCKD_PORT="4001"
MOUNTD_PORT="4002"
RQUOTAD_PORT="4003"
# set this to 1 to enforce using the unique NFS ports
FORCE_NFS_UNIQUE_PORTS="0"

Or something along these lines - it does not have to be
in /etc/sysconfig. Any mechanism that will allow the sysadmin to "flip a
switch" and make NFS play well with firewalls would be great.

Thank you,

-- 
Florin Andrei

http://florin.myip.org/




More information about the fedora-devel-list mailing list