Re: Firewall and nfs mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Anne Wilson wrote:
On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote:
Anne Wilson wrote:
On Monday 24 August 2009 15:44:20 Bill McGonigle wrote:
On 08/24/2009 08:15 AM, Anne Wilson wrote:
What ports are necessarily opened on an nfs server?  Does the client
need any ports opened?
If you can limit yourself to NFSv4 you're much better off in this
department.  I have this on an NFSv4 server:

# NFS
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source
192.168.1.32/27 --dport 2049 -j ACCEPT

and nothing on a working client other than the standard:

  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks.  That's something to work on.  Although I have had a working
firewall in the past, I'm not really familiar with iptables setup.  Since
a gui tool was provided I expected it to do the necessary (this is
system-config- securitylevels on CentOS) but it doesn't.  I used
shorewall to set up my firewall long ago, and I'm beginning to think I
might be better of seeing if there's a package for CentOS.  Gui tools
seem nice, but I don't like the fact that they rarely tell you what the
are and aren't doing.
When it comes to a shorewall package for CentOS or RHEL you can enable
the EPEL repository https://fedoraproject.org/wiki/EPEL

Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall.

For internal use the "insecure" option may be all you need. I export some things from various servers, attached is a little part of the process, a function to do the export by bind mounting directories into the "/export" space then exporting from there. That way any moves of the "real" location are hidden, clients always mount a short name.

Note that this attachment has been cleansed a bit of addresses and comments, take as an example to test before use.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
#!/bin/bash
#   export the image of the CentOS-5.3 /var/cache/yum for updates
# $Id: do_exports 1.2 2009/05/04 13:48:31 root Stable root $

function ExPort() {
  # See if the mount point is present
  SourcePt=$1
  MountPt=/exports/$2
  ExpOptions="${3:-rw,insecure,no_root_squash}"

  # see if the mount point exists
  [ -d ${MountPt} ] || mkdir -p ${MountPt} || return 2

  # bind mount the directory where you export it
  #   this avoids changing the mount in all user machines
  if ! mount | grep -q "${MountPt}.*bind"; then
    mount -o bind ${SourcePt} ${MountPt} || 
    return 2
  fi

  # now do the actual export
  exportfs -o ${ExpOptions} 10.4.60.0/23:${MountPt}
}

# unexport all, start over
exportfs -uav

# do the approved exports
#   /var/cache/yum for all CentOS 5.3 machines
ExPort /mnt/tmp/backups/C53cache C53VCY
#   /var/cache/yum for FC11
ExPort /mnt/tmp/workspace/FC11/VCY/ FC11VCY
#   FC10 workspace
ExPort /mnt/tmp/10space tenspace
#   in case the master copy of /common is down
#   machines will try to use this one
ExPort /mnt/backups/common common ro,insecure
-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux