NFS with firewall

[Stuart Lowe]

Hello,

I want to tie down NFS ports so I can put up a firewall.

In particular, I'm looking at statd.  I noticed from the man pages that
statd can take a "-p" and a "-o" option for setting ports.  The startup
script /etc/rc.d/init.d/nfslock appears to be trying to take this into
consideration.

If I start NFS using the bare-bones startup scripts that came with FC1,
I notice that when I do an rcpinfo -p I get something like:

100024    1   udp  32768  status
100024    1   tcp  32770  status


If I make a file /etc/sysconfig/nfs (this is referenced in
/etc/rc.d/init.d/nfslock but did not exist) and put the following lines
in it:

STATD_PORT=32765
STATD_OUTGOING_PORT=32766

then after restarting my machine rcpinfo -p gives:

100024    1   udp  32765  status
100024    1   tcp  32765  status

It appears that if I attempt to specify ports, STATD_OUTGOING_PORT gets
"ignored".  

I'm concentrating on statd here as an example, but my concerns all
relate to the general question of "What is the best way to tie down NFS
ports?"  I've seen a lot of stuff on this such as defining ports in
/etc/services, directly hard-coding ports in the startup scripts, and
I've tried numerous combinations.  So far, the only thing that seems to
work with consistency for me is using /etc/modules.conf to tie down the
lockd ports.

Any ideas on this would be greatly appreciated.

Regards,

Stu.