-
26th February 2010, 01:14 AM
#1
NFS with firewall
Hi,
I was running NFS in my Fedora. I found that I could not mount exported directory in client machine (Fedora ) with firewall enable in NSF server. Even I tried by clicking out all services in firewall (but not disabling it), it did not work. To make it work, I had to disable firewall.
Is there any way to do this without disabling firewall?
Thanks.
-
26th February 2010, 03:40 AM
#2
You must assign static ports to NFS in its configuration file and then add those ports to the firewall configuration.
please look in
/etc/sysconfig/nfs
and configure it per your requirements
also remember to add the portmap/rpcbind daemon port to the firewall.
as long as the client can get to the portmap daemon ( rpcbind) it will be told which ports to use through the firewall
-
27th February 2010, 01:42 AM
#3
Slow down there Mad' - what you need depends critically on which version of NFS you are using.
All NFS is dependent on RPC for the communication protocol, but NFSv2 & v3 (the default) use the rpc port mapper feature which is somewhat deprecated. Your client chats with the NFS server rpcbind service and ask which of it's ports has the 10005 (rpc mount) service. The server rpcbind assigns a port, starts the service and then supplies the port number to the clien "hey - that service is now on port 40638". The client tries and fails since that port is firewalled on the server. One of the main features of rpc was this dynamic prt mapping/serving, but modern firewall requirements largely destroy this feature. 4 or 5 mapped rpc services are needed for NFSv2/3.
So Mad' is suggesting that you assign all the NFSv3 required rpc services to fixed ports, then you open the firewall on those ports. Note that the 'system-config-nfs' (second tab) and the 'system-config-firewall' will help with this sort of solution. I think this approach is old-school.
There are many positive changes with NFSv4, including the fact that it only requires the nfs rcp service on fixed port 2049. So nfsv4 is desirable when using nfs this through a firewall. nfsv4 only uses tcp, so there is reliable communication (nfsv2.3 can use udp or tcp, but there are some rude failure modes for udp). On Linux nfsv4 has modestly better performance. When using some security flavors (mount sec= option) modes the user name (not numeric uid) mapping applies, ACLs are supported and better security is available.
====
It's a no-brainer - use NFv4 and only port 2049.
A/ open server port 2049, start the nfs service.
B/ stop the rpc bind service and close port 111 and any others for rpc.
C/ modify your /etc/exports file to use the "fsid=0" option, like,
/home/common *(rw,insecure,sync,no_subtree_check,mp=/home,fsid=0,no_root_squash)
then reexport the share. "exportfs -au; exportfs -av"
D/ on the client mount from "server:/" (root) instead of "server:/home/common" and replace the filesys type from "nfs" to "nfsv4" like in fstab:
hypoxylon:/ /home/common nfs4 _netdev,rw,exec,suid 0 0
Last edited by stevea; 27th February 2010 at 01:50 AM.
-
3rd March 2010, 05:38 PM
#4
Thanks everybody. I will try these methods.
Similar Threads
-
By jasmine in forum Using Fedora
Replies: 4
Last Post: 16th February 2009, 08:35 AM
-
By ColonelPenguin in forum Security and Privacy
Replies: 1
Last Post: 20th August 2006, 02:44 AM
-
By cederstrom in forum Security and Privacy
Replies: 8
Last Post: 19th July 2005, 11:51 PM
-
By claes in forum Security and Privacy
Replies: 6
Last Post: 1st February 2005, 11:04 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
[[template footer(Guest)]]