[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: NFS tcp wrapper situation



Once upon a time, Jesse Keating <jkeating redhat com> said:
> On Wed, 2009-01-21 at 18:48 -0600, Chris Adams wrote:
> > That brings me back to RPC services though, which means NFS (which
> > started all of this).  Some of the NFS component services have fixed
> > ports now (even though they still register with portmapper), such as
> > nfsd (2049) and rquotad (875), but I believe that mountd, lockd, and
> > statd all run on portmapper-assigned random ports.  The only way to
> > control access to them is currently TCP_wrappers.
> 
> However each of these do allow you to set a specific port they'll run
> on, so that you /can/ use iptables with them.  I've been running them
> that way for years.

I saw that, but I haven't tried it myself.  I guess they still register
with portmapper (i.e. portmapper allows a program to require a specific
port; I haven't done RPC programming in at least 10 years), since that
appears to be how nfsd and rquotad work.

It looks like the init scripts already support setting this (including
for the kernel lockd using sysctl).

Is there a reason to not go ahead and do that for Fedora 11?  That would
make recommending iptables instead of tcp_wrappers a lot easier.
-- 
Chris Adams <cmadams hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]