Thanks for the detailed explanation. I installed the server on one system and the client on another. They work and talk to each other. I made my user uids the same on all systems (I've done NFS before on VMS <G>) and started them at 100 so that matches.
Right now I have a Gnatbox hardware firewall (the GB-1000) and it should have those ports masked but I'll check. I'm planning sometime to make one of my boxes a firewall and replace the Gnatbox. Thanks again. On Saturday 20 December 2003 02:27, you wrote: > On Friday 19 December 2003 18:17, Andrew Gaffney wrote: > > Brett I. Holcomb wrote: > > > I want to setup NFS on my systems so I checked the NFS How-to. > > > However, it's dated 8/2002 so I'm wondering how far out of date is it > > > as far a security setup, etc. Do we need to worry about hosts.allow > > > and deny or does PAM handle that now? I built NFS into the kernel and > > > assume all I have to do is install the utilities and then setup the > > > machines as servers with the exports, etc. Are there any Gentoo > > > specific guides for NFS (I didn't see any in the docs). > > > > AFAIK, there is no user authentication in NFS, so PAM never comes into > > the picture. You are limited to allowing and restricting by host/IP only, > > which is where the "insecure" part comes in. > > The existing howto is still pretty much on target. Just setup exports. > hosts.deny, and hosts.allow and start the appropriate NFS server and client > daemons and portmapper. You need to insure that uids match up for userids > on each system, or you won't have much luck. Gentoo (why?) likes to start > userid's at uid=1000, wheras SUSE and others start users at uid=500. I > changed my gentoo id's to start at 500, which ment finding/trashing a > number of /tmp/... entries before gnome/kde would start again. Also, I > have one work directory that is writable from both systems, so I made this > owned by nobody/nogroup for ease of use. > > Don't forget about your firewalls (you do have them?). I just finished a > setup for my two local lan systems (this one is SUSE 9.0, the other is > gentoo). I use Shorewall on the gentoo system, and the sample entries I > found on the Shorewall site were right on except for one little wrinkle. > I'm not sure whether this is SUSE specific or something added to NFS > recently (found no answers via google). > > NFS typically uses ports 111(tcp and udp), 2049(udp), and high end ports > 32700...(udp). So, I fixed up my shorewall rules accordingly. When I did > an NFS mount from my gentoo system of a directory exported on the SUSE > system, I found that the SUSE system issued requests on port 744(udp). > According to the standards this is reserved for Flexible License Manager. > So, I had to add 744(udp) to my Shorewall rules. > > fwiw, here are the rules. You'll need to do your own conversion to > iptables if not using Shorewall. > > # outbound NFS > ACCEPT fw net:192.168.0.4 udp 111 > ACCEPT fw net:192.168.0.4 tcp 111 > ACCEPT fw net:192.168.0.4 udp 744 > ACCEPT fw net:192.168.0.4 udp 2049 > ACCEPT fw net:192.168.0.4 udp 32700: > # inbound NFS > ACCEPT net:192.168.0.4 fw udp 111 > ACCEPT net:192.168.0.4 fw tcp 111 > ACCEPT net:192.168.0.4 fw udp 744 > ACCEPT net:192.168.0.4 fw udp 2049 > ACCEPT net:192.168.0.4 fw udp 32700: > > > HTH. -- [EMAIL PROTECTED] mailing list
