On Thu, 7 Nov 2002, Oliver Rompcik wrote:
> > What ports on a machine need to be opened in order to export and/or import
> > NFS mounts?
>
> All implementations of NFS use a fixed port number (2049). This is used so
> that a NFS client does NOT have to perform a portmapper query (port 111).
> Unfortunately NFS relies upon some other services for mounting, file locking
> etc. that must use the portmapper.
>
> The second unnormal behavior of NFS is that clients usually use privileged
> ports (< 1024). But even more unfortunately there are some implementations
> that use unprivileged ones above 1023.
>
> NFS uses UDP by default, which can easily be spoofed, please turn it to use
> TCP instead.
>
> So you need the following rules (either in ipchains or iptables, but better
> use OpenBSDs pf.......)
Sheesh, it does seems like one might as well run without a firewall. I
knew it was more complicated than just opening the nfs service ports, but
I didn't realize how much so.
Thanks.
>
> Direction Source Dest Protocol sport dport ACK
>set (not UDP) descr
>
> in ext int UDP/TCP >1023 111
> - portmapper request to your server
> out int ext UDP/TCP 111
> >1023 x portmapper response from you
> in ext int UDP/TCP <1024* 2049
> - nfs request to your server
> out int ext UDP/TCP 2049 <1024*
> x and the response
>
> out int ext UDP/TCP >1023 111
> - your request to other portmapper
> in ext int UDP/TCP 111
> >1023 x and his response
> out int ext UDP/TCP <1024* 2049
> - request to external nfs
> in ext int UDP/TCP 2049 <1024*
> x and the response
>
> * for clients that use unpriv.ports use > 1023 instead.
>
> And please make sure that your eports are mapped to the right user (hopefully
> read-only exports only).
>
> Sincerely,
> Olli
>
>
>
>
--
Matthew Saltzman
Clemson University Math Sciences
[EMAIL PROTECTED]
http://www.math.clemson.edu/~mjs
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
