IPFILTER and NFS
Erik Nørgaard
norgaard at locolomo.org
Sun Apr 3 04:04:56 PDT 2005
Matt Juszczak wrote:
> Howdy,
>
> Trying to get IPFILTER and NFS working. A google search didn't show
> much about my specific issue. With ipfilter working, nfs initially
> works, until someone tries to login. Then it stops working. With my
> firewall down on the NFS-CLIENT machine, it works fine. Any ideas?
>
> It appears to be an issue with random ports....
It is, NFS is an RPC service where the RPC deamon is requested to for
info on which port mountd binds to. I wrote an howto for diskless
clients, www.daemonsecurity.com/pxe/ - here's what to do:
Enable nfs in /etc/rc.conf:
rpcbind_enable="YES" # Run the portmapper service (YES/NO).
nfs_server_enable="YES" # This host is an NFS server (or NO).
mountd_enable="YES" # Run mountd (or NO).
mountd_flags="-r -p 59" # Force mountd to bind on port 59
As a minimum you need to enable rpcbind, nfsserver and mountd. lockd and
statd provides file locking and status monitoring. By default, when
mountd starts it binds to some arbitrary port, and rpc is used to
discover which, making it imposible to firewall. With option '-p' mountd
can be forced to bind to a specific port. Port 59 is assigned to "any
private file service" (see /etc/services).
This limits the number of ports relevant to 59, 111 and 2049. You can't
force lockd and statd to bind to specific ports (they are alos RPC
services) and AFAIK you can't have disk quotas work correctly because of
this.
AFAIK NFS4 should address these problems, but the NFS4 server is still
experimental.
Till then, RPC is a security nightmare.
Erik
--
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
More information about the freebsd-questions
mailing list