[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bill Davidsen wrote:
Bill Davidsen wrote:
I have a firewall problem with running an NFS server on FC6 or FC8, due to the GUI configuration interface not opening the firewall when I check the NFS protocol support. It seems to only allow use as an NFS client, since that worked fine when I tested it.
I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but 
mixing GUI administration and manual administration is undesirable to 
prevent unexpected behavior, conflicts, etc, in the future. Is there 
really no way to open the ports for NFS server other than by hand?
Since there were a few people flailing at a helpful answer, let me pass on some additional informations:
1 - pinning ports. Not needed. The standard tool seems to cope just 
fine, if only you can get the fixed ports visible.
2 - Need another firewall tool. No and yes... No, you really don't to 
open the ports, Yes you do if you want to specify which machines get 
access to the port. The export file or exportfs command limit which 
machines will be allowed to use NFS once they see the port. If you 
export to a reasonable subset of IP addresses most discussion I found 
indicates that you are probably safe from access to data, usual DOS 
attacks could be an issue.
So what's the scoop? See here:
  transport    ports
  UDP        2049, 111, 709, 706
  TCP        2049, 111, 709

Note that this was tested with a sniffer and a number of various machines and operating systems, seems to work with all of them. U was surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as fast as UDP, driving 449.1Mbit over gigE connection.
_I_ found the ports were moving; I used tcpdump to see it. It was _not_ 
using any 7xx ports. lockd (in the kernel) _was_ using a 327xx port.
111 is used by portmapper, which maps "program names" to port numbers. 
The port numbers actually used can vary.
See these, both are using nahant-clone:
10:29 [[email protected] ~]$ rpcinfo -p  192.168.9.4
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    765  status
    100024    1   tcp    768  status
    100011    1   udp    825  rquotad
    100011    2   udp    825  rquotad
    100011    1   tcp    828  rquotad
    100011    2   tcp    828  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp  32771  nlockmgr
    100021    3   udp  32771  nlockmgr
    100021    4   udp  32771  nlockmgr
    100021    1   tcp  32768  nlockmgr
    100021    3   tcp  32768  nlockmgr
    100021    4   tcp  32768  nlockmgr
    100005    1   udp    841  mountd
    100005    1   tcp    844  mountd
    100005    2   udp    841  mountd
    100005    2   tcp    844  mountd
    100005    3   udp    841  mountd
    100005    3   tcp    844  mountd
10:30 [[email protected] ~]$ rpcinfo -p  cdm
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    602  status
    100024    1   tcp    605  status
    100011    1   udp    621  rquotad
    100011    2   udp    621  rquotad
    100011    1   tcp    621  rquotad
    100011    2   tcp    621  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100021    1   udp  32788  nlockmgr
    100021    3   udp  32788  nlockmgr
    100021    4   udp  32788  nlockmgr
    100021    1   tcp  32768  nlockmgr
    100021    3   tcp  32768  nlockmgr
    100021    4   tcp  32768  nlockmgr
    100005    1   udp    640  mountd
    100005    1   tcp    640  mountd
    100005    2   udp    640  mountd
    100005    2   tcp    640  mountd
    100005    3   udp    640  mountd
    100005    3   tcp    640  mountd
10:30 [[email protected] ~]$

Everything but portmapper and nfs is different. A debian system I have is different again.


--

Cheers
John

-- spambait
[email protected]  [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

Please do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]
  Powered by Linux