Firewall and RPC Setup for NFS

Jonathan Ryshpan jonrysh at pacbell.net
Sat Mar 28 20:44:40 UTC 2009 

On Fri, 2009-03-27 at 21:22 +0000, Sharpe, Sam J wrote:
> 2009/3/27 Jonathan Ryshpan <jonrysh at pacbell.net>:
> > Setting up to use NFS I've found that RPC doesn't work; it's blocked by
> > the firewall.  I surmise that RPC is one of the services listed in
> > System->Administration->Firewall under the "Trusted Services" tab.  But
> > which one?  If my surmise is not correct, how do I enable RPC service
> > without turning off the firewall?
> 
> It's not in that list, but it's port 111 udp/tcp:
> 
> [sam at machine ~]$ cat /etc/services | grep portmapper
> sunrpc		111/tcp		portmapper	# RPC 4.0 portmapper TCP
> sunrpc		111/udp		portmapper	# RPC 4.0 portmapper UDP
> 
> If you're firewalling NFS, you might want to also look at locking
> services to particular ports and opening them on your firewall:
> [sam at machine ~]$ sudo cat /etc/sysconfig/nfs
> MOUNTD_PORT=4001
> LOCKD_TCPPORT=4002
> LOCKD_UDPPORT=4003
> STATD_PORT=4004
> RQUOTAD_PORT=4005
> 
> Otherwise, the assignment of ports for RPC services is random, which
> creates a slight firewall issue...

You are exactly right on both counts.  Port 111/tcp and 111/udp have to
be opened to allow sunrpc to work.  Moreover nfs and its friends must be
set to fixed ports and these ports opened for nfs to work.  I have used
different ports from the ones you recommend, since there may be some
conflicts between them and the standard port assignments.  
My port assignments are:
        LOCKD_TCPPORT=890
        LOCKD_UDPPORT=890
        MOUNTD_PORT=891
        STATD_PORT=892
        RQUOTAD_PORT=893
I assume that all these are TCP ports except LOCKD_UDPPORT.

BTW: Would it be a good idea to close port 111, since sunrpc has been
reported as a security problem?  See:
        http://www.iss.net/security_center/advice/Services/SunRPC/default.htm
Or is sunrpc needed for other functions of nfs?

This is one of the **least** well documented aspects of Linux system
administration, and causes particular trouble to people who, like me,
use networking only once every 3 years or so, when they set up a new
system and have to transfer their files to it.  This is particularly
true since the System->Administration->Firewall has a tab that purports
to control access to NFS4.

Thanks very much - jon

More information about the fedora-list mailing list