[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall problems with NFS



Bill Davidsen wrote:
I have a firewall problem with running an NFS server on FC6 or FC8, due to the GUI configuration interface not opening the firewall when I check the NFS protocol support. It seems to only allow use as an NFS client, since that worked fine when I tested it.

I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but mixing GUI administration and manual administration is undesirable to prevent unexpected behavior, conflicts, etc, in the future. Is there really no way to open the ports for NFS server other than by hand?

Since there were a few people flailing at a helpful answer, let me pass on some additional informations:

1 - pinning ports. Not needed. The standard tool seems to cope just fine, if only you can get the fixed ports visible.

2 - Need another firewall tool. No and yes... No, you really don't to open the ports, Yes you do if you want to specify which machines get access to the port. The export file or exportfs command limit which machines will be allowed to use NFS once they see the port. If you export to a reasonable subset of IP addresses most discussion I found indicates that you are probably safe from access to data, usual DOS attacks could be an issue.

So what's the scoop? See here:
  transport	ports
  UDP		2049, 111, 709, 706
  TCP		2049, 111, 709

Note that this was tested with a sniffer and a number of various machines and operating systems, seems to work with all of them. U was surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as fast as UDP, driving 449.1Mbit over gigE connection.

Hope this information is helpful to someone, I wanted to share it since people were trying to help me.

--
Bill Davidsen <davidsen tmr com>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]