Bill Davidsen wrote:
I have a firewall problem with running an NFS server on FC6 or FC8, due
to the GUI configuration interface not opening the firewall when I check
the NFS protocol support. It seems to only allow use as an NFS client,
since that worked fine when I tested it.
I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but
mixing GUI administration and manual administration is undesirable to
prevent unexpected behavior, conflicts, etc, in the future. Is there
really no way to open the ports for NFS server other than by hand?
Since there were a few people flailing at a helpful answer, let me pass
on some additional informations:
1 - pinning ports. Not needed. The standard tool seems to cope just
fine, if only you can get the fixed ports visible.
2 - Need another firewall tool. No and yes... No, you really don't to
open the ports, Yes you do if you want to specify which machines get
access to the port. The export file or exportfs command limit which
machines will be allowed to use NFS once they see the port. If you
export to a reasonable subset of IP addresses most discussion I found
indicates that you are probably safe from access to data, usual DOS
attacks could be an issue.
So what's the scoop? See here:
transport ports
UDP 2049, 111, 709, 706
TCP 2049, 111, 709
Note that this was tested with a sniffer and a number of various
machines and operating systems, seems to work with all of them. U was
surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as
fast as UDP, driving 449.1Mbit over gigE connection.
Hope this information is helpful to someone, I wanted to share it since
people were trying to help me.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
