> What ports on a machine need to be opened in order to export and/or import
> NFS mounts?
All implementations of NFS use a fixed port number (2049). This is used so
that a NFS client does NOT have to perform a portmapper query (port 111).
Unfortunately NFS relies upon some other services for mounting, file locking
etc. that must use the portmapper.
The second unnormal behavior of NFS is that clients usually use privileged
ports (< 1024). But even more unfortunately there are some implementations
that use unprivileged ones above 1023.
NFS uses UDP by default, which can easily be spoofed, please turn it to use
TCP instead.
So you need the following rules (either in ipchains or iptables, but better
use OpenBSDs pf.......)
Direction Source Dest Protocol sport dport ACK
set (not UDP) descr
in ext int UDP/TCP >1023 111
- portmapper request to your server
out int ext UDP/TCP 111
>1023 x portmapper response from you
in ext int UDP/TCP <1024* 2049
- nfs request to your server
out int ext UDP/TCP 2049 <1024*
x and the response
out int ext UDP/TCP >1023 111
- your request to other portmapper
in ext int UDP/TCP 111
>1023 x and his response
out int ext UDP/TCP <1024* 2049
- request to external nfs
in ext int UDP/TCP 2049 <1024*
x and the response
* for clients that use unpriv.ports use > 1023 instead.
And please make sure that your eports are mapped to the right user (hopefully
read-only exports only).
Sincerely,
Olli
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
