On Friday 19 December 2003 18:17, Andrew Gaffney wrote: > Brett I. Holcomb wrote: > > I want to setup NFS on my systems so I checked the NFS How-to. However, > > it's dated 8/2002 so I'm wondering how far out of date is it as far a > > security setup, etc. Do we need to worry about hosts.allow and deny or > > does PAM handle that now? I built NFS into the kernel and assume all I > > have to do is install the utilities and then setup the machines as > > servers with the exports, etc. Are there any Gentoo specific guides for > > NFS (I didn't see any in the docs). > > AFAIK, there is no user authentication in NFS, so PAM never comes into the > picture. You are limited to allowing and restricting by host/IP only, which > is where the "insecure" part comes in.
The existing howto is still pretty much on target. Just setup exports. hosts.deny, and hosts.allow and start the appropriate NFS server and client daemons and portmapper. You need to insure that uids match up for userids on each system, or you won't have much luck. Gentoo (why?) likes to start userid's at uid=1000, wheras SUSE and others start users at uid=500. I changed my gentoo id's to start at 500, which ment finding/trashing a number of /tmp/... entries before gnome/kde would start again. Also, I have one work directory that is writable from both systems, so I made this owned by nobody/nogroup for ease of use. Don't forget about your firewalls (you do have them?). I just finished a setup for my two local lan systems (this one is SUSE 9.0, the other is gentoo). I use Shorewall on the gentoo system, and the sample entries I found on the Shorewall site were right on except for one little wrinkle. I'm not sure whether this is SUSE specific or something added to NFS recently (found no answers via google). NFS typically uses ports 111(tcp and udp), 2049(udp), and high end ports 32700...(udp). So, I fixed up my shorewall rules accordingly. When I did an NFS mount from my gentoo system of a directory exported on the SUSE system, I found that the SUSE system issued requests on port 744(udp). According to the standards this is reserved for Flexible License Manager. So, I had to add 744(udp) to my Shorewall rules. fwiw, here are the rules. You'll need to do your own conversion to iptables if not using Shorewall. # outbound NFS ACCEPT fw net:192.168.0.4 udp 111 ACCEPT fw net:192.168.0.4 tcp 111 ACCEPT fw net:192.168.0.4 udp 744 ACCEPT fw net:192.168.0.4 udp 2049 ACCEPT fw net:192.168.0.4 udp 32700: # inbound NFS ACCEPT net:192.168.0.4 fw udp 111 ACCEPT net:192.168.0.4 fw tcp 111 ACCEPT net:192.168.0.4 fw udp 744 ACCEPT net:192.168.0.4 fw udp 2049 ACCEPT net:192.168.0.4 fw udp 32700: HTH. -- Collins -- [EMAIL PROTECTED] mailing list
