NFS and Firewall

From SlackWiki
Revision as of 05:26, 4 June 2009 by Erik (talk | contribs) (Copy from old)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The most recent version of this document can always be found at: http://rlworkman.net/howtos/NFS_Firewall_HOWTO --rworkman


This document is intended to give you detailed steps for making NFS bind to user-specified ports instead of random ports assigned by the portmapper. This makes it *much* easier to run a firewall on the NFS server, as you don't have to kludge something to find the NFS ports at each boot to open them with iptables.

First, you'll want (it's not necessary, but handy to have for later) to make sure all of this is in /etc/services. I made sure "NFS" is in all of what I added or modified so that I can easily remove them (or just find them) if I need them later. 

bash-3.00# grep NFS /etc/services 
sunrpc          111/tcp    rpcbind      # SUN Remote Procedure Call
sunrpc          111/udp    rpcbind      # SUN Remote Procedure Call 
mountd          861/udp                 # NFS mountd
mountd          861/udp                 # NFS mountd
rquotad         863/udp                 # NFS rquotad
rquotad         863/tcp                 # NFS rquotad
status          865/udp                 # NFS status (listen)
status          865/tcp                 # NFS status (listen)
status          866/udp                 # NFS status (send)
status          866/tcp                 # NFS status (send)
nfsd            2049/tcp                # NFS server daemon
nfsd            2049/udp                # NFS server daemon
lockd           4045/udp                # NFS lock daemon/manager
lockd		4045/tcp		# NFS lock daemon/manager

Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly: For other linux distributions, find the script that starts these daemons and add the needed flags.

  • Make the quota daemon listen on port 863
 if [ -x /usr/sbin/rpc.rquotad ]; then
   echo "  /usr/sbin/rpc.rquotad -p 863"
   /usr/sbin/rpc.rquotad -p 863
 fi
  • Make the mount daemon listen on port 861
 if [ -x /usr/sbin/rpc.mountd ]; then
   echo "  /usr/sbin/rpc.mountd -p 861"
   /usr/sbin/rpc.mountd -p 861
 fi

Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros, find the script that starts this daemon and add the needed flags). On older versions (less than 11.0) of Slackware, rpc.statd is started in rc.nfsd, so look there instead.

  • Make the status daemon listen on port 865 and talk on port 866 - note that you'll have to open port 866 on the NFS clients
 if ! ps axc | grep -q rpc.statd ; then
   echo "Starting RPC NSM (Network Status Monitor):  /sbin/rpc.statd -p 865 -o 866"
   /sbin/rpc.statd -p 865 -o 866
 fi

Finally, make the lock daemon listen on port 4045 only - note that this requires setting module loading parameters in /etc/modules.conf (for 2.4 kernels) or /etc/modprobe.conf (for 2.6 kernels) or /etc/modprobe.d/options (for newer 2.6 kernels with module-init-tools >=3.2.2; create this file if it doesn't already exist) - it won't hurt to set it in all of them. You'll need to add this line to the files referenced above. 

 options lockd nlm_udpport=4045 nlm_tcpport=4045

Good luck - talk to me on IRC if you have trouble.

Retrieved from "https://www.slackwiki.com/index.php?title=NFS_and_Firewall&oldid=144"