[TriLUG] NFS using firewalls

Jon Carnes jonc at nc.rr.com
Mon Dec 16 12:45:07 EST 2002


Your not the only one with NFS problems recently so I thought I should
republish this link:
  http://nfs.sourceforge.net/

This link in particular is for you Roy:
  http://nfs.sourceforge.net/nfs-howto/security.html#FIREWALLS

===
Some of the daemons involved in sharing data via nfs are already bound
to a port. portmap is always on port 111 tcp and udp. nfsd is always on
port 2049 TCP and UDP (however, as of kernel 2.4.17, NFS over TCP is
considered experimental and is not for use on production machines).

The other daemons, statd, mountd, lockd, and rquotad, will normally move
around to the first available port they are informed of by the
portmapper.

To force statd to bind to a particular port, use the -p portnum option.
To force statd to respond on a particular port, additionally use the -o
portnum option when starting it.

To force mountd to bind to a particular port use the -p portnum option.

For example, to have statd broadcast of port 32765 and listen on port
32766, and mountd listen on port 32767, you would type:

# statd -p 32765 -o 32766
# mountd -p 32767

lockd is started by the kernel when it is needed. Therefore you need to
pass module options (if you have it built as a module) or kernel options
to force lockd to listen and respond only on certain ports.

If you are using loadable modules and you would like to specify these
options in your /etc/modules.conf file add a line like this to the file:

options lockd nlm_udpport=32768 nlm_tcpport=32768

The above line would specify the udp and tcp port for lockd to be 32768.

===

NFS is a lot of fun, but when it comes to mounting remote drives through
a firewall I think there are much better ways (such as mounting them via
FTP).  Good Luck Roy!

Jon Carnes

On Mon, 2002-12-16 at 12:20, Roy Vestal wrote:
> I have 2 pc's that I want to connect using NFS. Both are on a home network, both behind the same firewall. I had to stop iptables to get it to allow the connection (thanks Kevin!).
> 
> I know the server port is 2049 and the client port 800, but I'm not sure how to get iptables to allow the connection. 
> 
> Also, do I need to worry about portmapper and iptables?
> 
> I'm running RHL 8.0 on both and I tried using lokkit, adding both ports but it didn't do it.
> 
> Any suggestions?
> 





More information about the TriLUG mailing list