| Charles Curley - Software Engineer, Writer
| << | < | > | >>
+ Larger Font | - Smaller Font		 Charles Curley

Valid XHTML 1.0! Valid CSS!

NFS and Firewalls on Fedora Core

One problem with NFS is that it likes to use a range of ports. That would mean leaving a slew of ports open in your firewall, probably not a good idea. The alternative is to assign the various daemons that nfs uses to specific ports, and open only those up.

I got this from D. Diacono's article at http://www.ba.infn.it/calcolo/documenti/NFSServer.html#Firewall. Also see Chris Lowth's article at http://www.lowth.com/LinWiz/nfs_help.html. It was originally written for a now elderly version of Red Hat. I have updated it for Fedora Core, currently 6. It will likely work with no changes on recent versions of Red Hat Enterprise Linux.

Analogous instructions are available for Debian which work for Ubuntu.

NFS through IPTABLES Firewall Setup

It is worth mentioning that NFS is not an encrypted protocol, and anyone on the same physical network could sniff the traffic and reassemble the information being passed back and forth.

To make it possible to configure a firewall that controls NFS, it is necessary to "tie down" the ports used by these services to fixed values. In the following we suggest some fixed values, but of course you can — and should — use different ports.

  1. Portmapper (portmap): uses port 111 on both TCP and UDP protocols.

  2. NFS daemon (rpc.nfsd): uses port 2049 on both TCP and UDP protocols.

  3. Status (rpc.statd): ((see "Instead" below)) normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command option when the program is launched. Edit the file /etc/init.d/nfslock, find the line "daemon rpc.statd" and add the option:

    daemon rpc.statd -p 4000

    Instead, on Fedora, create or add to /etc/sysconfig/nfs with the contents: "STATD_PORT=4000"

  4. NFS lock manager (rpc.lockd): normally uses a random port allocated by portmapper. On systems where the lock manager is implemented as a loadable module (RedHat 7.3 and greater, Mandrake 8.2 and greater) the port number used is set at module load time, and so is configured by adding (or editing) a line in the /etc/modprobe.conf file, as follows:

    options lockd nlm_udpport=4001 nlm_tcpport=4001

  5. mountd (rpc.mountd): normally uses a random port allocated by portmapper. It is possible to configure a fixed port number by supplying the "-p" command line option when the program is launched. This can be done by editing the file /etc/sysconfig/network and adding the following line:

    MOUNTD_PORT=4002

  6. Note that you can happily use NFS without quotas, and in such case you can skip this point.

    rquotad (rpc.quotad): if your system is not already running "quota" version 3.08 or later, download it from the linuxquota website. Remove the old version and install the new quota package:

    tar zxvf quota-3.08.tar.gz
cd quota-tools
./configure
make
make install
cp rpc.rquotad /usr/sbin/

    Now edit the file /etc/rpc and check that the following line is present:

    rquotad 100011 rquotaprog quota rquota

    It should be there, but if not, then add it yourself.

    Finally edit the file /etc/services and add the following lines:

    rquotad 4003/tcp
rquotad 4003/tcp

  7. Now you have blocked the NFS services' port, and then a simple IPTABLES firewall might look like this:

    iptables -A INPUT -f -j ACCEPT -s ip.pc.client
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
iptables -A INPUT -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -p 6 -j DENY --syn --log-level 5
iptables -A INPUT -s 0/0 -d 0/0 -p 17 -j DENY --log-level 5

    You can preserve this with the command iptables-save and restore it with iptables-restore.

    With IPCHAINS the equivalent commands are:

    ipchains -A input -f -j ACCEPT -s ip.pc.client
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 4000:4003 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 17 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 2049 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 6 -j ACCEPT
ipchains -A input -s ip.pc.client -d 0/0 111 -p 17 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -p 6 -j DENY -y -l
ipchains -A input -s 0/0 -d 0/0 -p 17 -j DENY -l
| << | < | > | >>
| Welcome | Software | Communications | Classes | Resume | Sample Code | Thomas Jefferson: Patron Saint of the Internet | Yum Repository Notes | NFS and Firewalls on Fedora Core | Netiquette | NT Emacs Installation | My .emacs File | Notes on OpenSSH | Bare Metal Recovery | Fn | Rms | Dump | Register | Atexit | Graphics Tree Walker | which.nvidia | buildiso | wallpaper2 | gps | Fedora Gpsdrive RPMs | Single Source Frames | Notes | A Bug Notification | Helpful Little Paperclip | Linux on Lenovo R51 | Wyoming Travel
Copyright © 1996 through 2008 by Charles Curley
Last Modified: 24 Feb, 2008
100% Microsoft-free web site.