Re: NFS-server and firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrew Dietz wrote:

I have explored the same issue in the past and came across the
same URL that Scot posted. I have since modified that document to
work specifically with RedHat/Fedora distributions. Should make
for a pretty painless implementation.

http://maverick.library.gatech.edu/docs/nfs_firewall.html

Andrew




If you use iptables in a stateful fashion, the outgoing statd port need not be opened up in iptables. Input packets are permitted as "established". Thus if you change the statd outbound port to 4004 a more efficient iptables rule can permit the necessary inbound ports without permitting an unnecessary one. Please consider revising your web page accordingly.

Additions to iptables:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Permit NFS access
-A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 2049 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4000:4003 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4000:4003 -j ACCEPT

/etc/sysconfig/nfs:
# /etc/sysconfig/nfs
# Created 7-5-2004 by Christopher K. Johnson
# Based on earlier work by Chris Lowth,
# adjusted to use features supported by original Fedora Core 2 init scripts.

# The following may be relevant in a virtual host environment
#STATD_HOSTNAME=

STATD_PORT=4000
STATD_OUTGOING_PORT=4004

LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001

MOUNTD_PORT=4002

#Also see /etc/services to set rpc.rquotad port to 4003
# rquotad               4003/tcp                # Fix a port for rpc.rquotad
# rquotad               4003/udp                # Fix a port for rpc.rquotad

And the actual additions to the end of /etc/services (as documented by comments in nfs above):
# Local services
rquotad 4003/tcp # Fix a port for rpc.rquotad
rquotad 4003/udp # Fix a port for rpc.rquotad

--
-----------------------------------------------------------
  "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
  Chris Johnson, RHCE #807000448202021


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux