On Wed, 2007-11-14 at 11:52 -0800, Tom Eastep wrote: > Karsten Bräckelmann wrote: > > On Wed, 2007-11-14 at 09:16 -0800, Tom Eastep wrote: > > it is the least painful > > strategy to simply allow all UDP traffic (in both directions) between the > > > > That depends on your definition of "painful". For me, opening all UDP > > ports is more painful, than spending a couple minutes configuring the > > server. :)
> > See http://shorewall.net/ports.htm#NFS , which hints to my documentation > > and rules for "pinning down NFS". That way, you can restrict NFS to a > > few fixed ports only, instead of opening everything. > > Just so we're all on the same page -- Karsten's documentation is specific to > Redhat/Fedora so it will probably also work for CentOS. And Mandriva. :) > It is not directly > applicable to other distributions. As a consequence, for me opening all UDP > ports is less painful than spending the time necessary to translate > Karsten's instructions into something that will work on one of the > distributions that I run. Out of curiosity, I just checked the relevant init files and had a quick look at a Debian powered server. It appears the necessary settings can be easily translated directly to Debian. For reference, see my previously mentioned rules and its documentation [1]. However, do note that I did NOT test the Debian specific instructions below. Setting specific ports for rpc.statd and rpc.mountd needs to be done when starting the daemons. The Debian way is to provide these along with the -p switch to $STATDOPTS and $RPCMOUNTDOPTS in the /etc/default conf files (nfs-common and nfs-kernel-server respectively). Pinning down rpc.lockd is being done using sysctl, and adding two lines like these to /etc/sysctl.conf does the trick: fs.nfs.nlm_tcpport = $LOCKD_TCPPORT fs.nfs.nlm_udpport = $LOCKD_UDPPORT The difference between the RH and Debian styles is, that Debian keeps these settings in separate files and specifically needs the switches, whereas in the RH style world the init script sources a single conf file holding fine grained variables and the init script itself cares about adding all the switches. Somewhere during my looking at init scripts and conf files I stumbled across a handy reference, that pretty much suggests the above, too. http://wiki.debian.org/?SecuringNFS It even starts with the topic of being firewall friendly, and specifically includes a Shorewall section for setting up the firewall rules. :) > And, of course, using your firewall as a local NFS server is not the world's > best idea from the point of view of security but I confess that I do it > myself. Tom, unfortunately I do not have a SuSE server at hand to have a look at its specific flavor. ;) karsten [1] http://lists.shorewall.net/~kb/ -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users