Good afternoon, Dave,
(Quick disclaimer - the following is based on watching the packet
traffic through a firewall, _not_ on a comprehensive understanding of the
NFS protocols. Some of the following may be incorrect or inappropriate
for you. I truly welcome corrections.)
On Fri, 19 Feb 1999, Dave Wreski wrote:
> Hi all. I'm sure you'll probably think I'm crazy, but I'd like to assess the
> risks involved in allowing NFS thru an internal firewall.
I won't cover the risks here - I'm sure others will offer their
experience.
> In order to do this, I'm interested in exactly which ports are required to be
> opened in order to pass NFS thru a firewall.
>
> I understand NFS uses both UDP and TCP, as well as RPC. I also understand
> there is a way under Solaris to tune the UDP ports that it uses?
Getting the ports right on a firewall for NFS is pretty annoying.
I had to get NFS working through a firewall recently - the experience was
frustrating.
Remember that RPC is nothing more than connecting to port 111 (tcp
or udp) and asking the portmapper listening on 111 "on which port can the
'mount', 'nfs' or 'whatever' service be found?'.
- Get your NFS server running on the server machine. Use "rpcinfo
-p localhost" to find out what ports are being used for rpcbind (aka
sunrpc), mount, and NFS. On my Linux systems these are 111, 635, and 2049
respectively. I cheated and put these into /etc/services on the firewall
machine. While the sunrpc mechanism makes it possible for these ports to
change, I never saw the ports change from 111, 635, and 2049.
- I compiled a list of client ports used to connect to the
respective server ports. These may not match up with what you find - and
may not even match what the RFC's say - but work for my network of RedHat
and Caldera Linux machines:
Client port Server port Name
600:1023/tcp 111/tcp Sunrpc
600:1023/udp 111/udp Sunrpc
600:1023/tcp 635/tcp Mount
600:1023/udp 635/udp Mount
760:800/tcp* 2049/tcp NFS
600:1023/udp 2049/udp NFS
* Starts at 800 and works its way down, but reuses ports so that it
760-800 worked well for this site.
With the exception that the client ports were a range of ports
below 1024 and the fact that multiple server ports are involved, nfs uses
the standard concept of "client connects to server from a client port
range to a generally fixed server port".
You'll probably need to open up both udp and tcp sunrpc. I found
that for a given client-server connection, either udp _or_ tcp was used
for mount. Similarly, either udp _or_ tcp was used for nfs. On linux,
the choice of nfs/tcp or nfs/udp is a mount time option. A given nfs
servers might support only udp or tcp but not both - the rpcinfo command
above should tell you which is/are supported.
If you choose to use Linux for a firewall, you might want to try
out Mason. Mason knows about the client and server port quirks for NFS
and handles them appropriately. Mason can create a firewall on the
client, the server, and/or any router between them. Even if you have an
almost finished firewall and just need to have the NFS rules, Mason can
spit out those rules for you.
I hope this helps. Cheers,
- Bill
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns ([EMAIL PROTECTED])
Mason, Buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
---------------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
