Bill Davidsen wrote:
Bill Davidsen wrote:
I have a firewall problem with running an NFS server on FC6 or FC8,
due to the GUI configuration interface not opening the firewall when I
check the NFS protocol support. It seems to only allow use as an NFS
client, since that worked fine when I tested it.
I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but
mixing GUI administration and manual administration is undesirable to
prevent unexpected behavior, conflicts, etc, in the future. Is there
really no way to open the ports for NFS server other than by hand?
Since there were a few people flailing at a helpful answer, let me pass
on some additional informations:
1 - pinning ports. Not needed. The standard tool seems to cope just
fine, if only you can get the fixed ports visible.
2 - Need another firewall tool. No and yes... No, you really don't to
open the ports, Yes you do if you want to specify which machines get
access to the port. The export file or exportfs command limit which
machines will be allowed to use NFS once they see the port. If you
export to a reasonable subset of IP addresses most discussion I found
indicates that you are probably safe from access to data, usual DOS
attacks could be an issue.
So what's the scoop? See here:
transport ports
UDP 2049, 111, 709, 706
TCP 2049, 111, 709
Note that this was tested with a sniffer and a number of various
machines and operating systems, seems to work with all of them. U was
surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as
fast as UDP, driving 449.1Mbit over gigE connection.
_I_ found the ports were moving; I used tcpdump to see it. It was _not_
using any 7xx ports. lockd (in the kernel) _was_ using a 327xx port.
111 is used by portmapper, which maps "program names" to port numbers.
The port numbers actually used can vary.
See these, both are using nahant-clone:
10:29 [summer@numbat ~]$ rpcinfo -p 192.168.9.4
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 765 status
100024 1 tcp 768 status
100011 1 udp 825 rquotad
100011 2 udp 825 rquotad
100011 1 tcp 828 rquotad
100011 2 tcp 828 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 32771 nlockmgr
100021 3 udp 32771 nlockmgr
100021 4 udp 32771 nlockmgr
100021 1 tcp 32768 nlockmgr
100021 3 tcp 32768 nlockmgr
100021 4 tcp 32768 nlockmgr
100005 1 udp 841 mountd
100005 1 tcp 844 mountd
100005 2 udp 841 mountd
100005 2 tcp 844 mountd
100005 3 udp 841 mountd
100005 3 tcp 844 mountd
10:30 [summer@numbat ~]$ rpcinfo -p cdm
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 602 status
100024 1 tcp 605 status
100011 1 udp 621 rquotad
100011 2 udp 621 rquotad
100011 1 tcp 621 rquotad
100011 2 tcp 621 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 32788 nlockmgr
100021 3 udp 32788 nlockmgr
100021 4 udp 32788 nlockmgr
100021 1 tcp 32768 nlockmgr
100021 3 tcp 32768 nlockmgr
100021 4 tcp 32768 nlockmgr
100005 1 udp 640 mountd
100005 1 tcp 640 mountd
100005 2 udp 640 mountd
100005 2 tcp 640 mountd
100005 3 udp 640 mountd
100005 3 tcp 640 mountd
10:30 [summer@numbat ~]$
Everything but portmapper and nfs is different. A debian system I have
is different again.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
