On Fri, 2004-05-07 at 21:35, Stuart Lowe wrote: > Hello, > > I want to tie down NFS ports so I can put up a firewall. > > In particular, I'm looking at statd. I noticed from the man pages that > statd can take a "-p" and a "-o" option for setting ports. The startup > script /etc/rc.d/init.d/nfslock appears to be trying to take this into > consideration. > > If I start NFS using the bare-bones startup scripts that came with FC1, > I notice that when I do an rcpinfo -p I get something like: > > 100024 1 udp 32768 status > 100024 1 tcp 32770 status > > > If I make a file /etc/sysconfig/nfs (this is referenced in > /etc/rc.d/init.d/nfslock but did not exist) and put the following lines > in it: > > STATD_PORT=32765 > STATD_OUTGOING_PORT=32766 > > then after restarting my machine rcpinfo -p gives: > > 100024 1 udp 32765 status > 100024 1 tcp 32765 status > > It appears that if I attempt to specify ports, STATD_OUTGOING_PORT gets > "ignored". > > I'm concentrating on statd here as an example, but my concerns all > relate to the general question of "What is the best way to tie down NFS > ports?" I've seen a lot of stuff on this such as defining ports in > /etc/services, directly hard-coding ports in the startup scripts, and > I've tried numerous combinations. So far, the only thing that seems to > work with consistency for me is using /etc/modules.conf to tie down the > lockd ports. > > Any ideas on this would be greatly appreciated. > > Regards, > > Stu. Try http://www.linuxguruz.com/iptables/ -- jludwig <wralphie@xxxxxxxxxxx>
