<---- template headericclude ----->
NFS with firewall
FedoraForum.org - Fedora Support Forums and Community
Results 1 to 4 of 4
  1. #1
    Join Date
    May 2006
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    NFS with firewall

    Hi,

    I was running NFS in my Fedora. I found that I could not mount exported directory in client machine (Fedora ) with firewall enable in NSF server. Even I tried by clicking out all services in firewall (but not disabling it), it did not work. To make it work, I had to disable firewall.

    Is there any way to do this without disabling firewall?

    Thanks.

  2. #2
    Join Date
    Jun 2009
    Posts
    472
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You must assign static ports to NFS in its configuration file and then add those ports to the firewall configuration.

    please look in

    /etc/sysconfig/nfs

    and configure it per your requirements

    also remember to add the portmap/rpcbind daemon port to the firewall.

    as long as the client can get to the portmap daemon ( rpcbind) it will be told which ports to use through the firewall

  3. #3
    stevea Guest
    Slow down there Mad' - what you need depends critically on which version of NFS you are using.

    All NFS is dependent on RPC for the communication protocol, but NFSv2 & v3 (the default) use the rpc port mapper feature which is somewhat deprecated. Your client chats with the NFS server rpcbind service and ask which of it's ports has the 10005 (rpc mount) service. The server rpcbind assigns a port, starts the service and then supplies the port number to the clien "hey - that service is now on port 40638". The client tries and fails since that port is firewalled on the server. One of the main features of rpc was this dynamic prt mapping/serving, but modern firewall requirements largely destroy this feature. 4 or 5 mapped rpc services are needed for NFSv2/3.

    So Mad' is suggesting that you assign all the NFSv3 required rpc services to fixed ports, then you open the firewall on those ports. Note that the 'system-config-nfs' (second tab) and the 'system-config-firewall' will help with this sort of solution. I think this approach is old-school.

    There are many positive changes with NFSv4, including the fact that it only requires the nfs rcp service on fixed port 2049. So nfsv4 is desirable when using nfs this through a firewall. nfsv4 only uses tcp, so there is reliable communication (nfsv2.3 can use udp or tcp, but there are some rude failure modes for udp). On Linux nfsv4 has modestly better performance. When using some security flavors (mount sec= option) modes the user name (not numeric uid) mapping applies, ACLs are supported and better security is available.

    ====

    It's a no-brainer - use NFv4 and only port 2049.

    A/ open server port 2049, start the nfs service.
    B/ stop the rpc bind service and close port 111 and any others for rpc.
    C/ modify your /etc/exports file to use the "fsid=0" option, like,
    /home/common *(rw,insecure,sync,no_subtree_check,mp=/home,fsid=0,no_root_squash)
    then reexport the share. "exportfs -au; exportfs -av"
    D/ on the client mount from "server:/" (root) instead of "server:/home/common" and replace the filesys type from "nfs" to "nfsv4" like in fstab:
    hypoxylon:/ /home/common nfs4 _netdev,rw,exec,suid 0 0
    Last edited by stevea; 27th February 2010 at 01:50 AM.

  4. #4
    Join Date
    May 2006
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks everybody. I will try these methods.

Similar Threads

  1. firewall
    By jasmine in forum Using Fedora
    Replies: 4
    Last Post: 16th February 2009, 08:35 AM
  2. Firewall GUI FC4
    By ColonelPenguin in forum Security and Privacy
    Replies: 1
    Last Post: 20th August 2006, 02:44 AM
  3. what firewall
    By cederstrom in forum Security and Privacy
    Replies: 8
    Last Post: 19th July 2005, 11:51 PM
  4. Fedora firewall vs SUSE firewall
    By claes in forum Security and Privacy
    Replies: 6
    Last Post: 1st February 2005, 11:04 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
[[template footer(Guest)]]