Firewall problems with NFS

[Bill Davidsen]

Bill Davidsen wrote:
> I have a firewall problem with running an NFS server on FC6 or FC8, due 
> to the GUI configuration interface not opening the firewall when I check 
> the NFS protocol support. It seems to only allow use as an NFS client, 
> since that worked fine when I tested it.
> 
> I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but 
> mixing GUI administration and manual administration is undesirable to 
> prevent unexpected behavior, conflicts, etc, in the future. Is there 
> really no way to open the ports for NFS server other than by hand?
> 
Since there were a few people flailing at a helpful answer, let me pass 
on some additional informations:

1 - pinning ports. Not needed. The standard tool seems to cope just 
fine, if only you can get the fixed ports visible.

2 - Need another firewall tool. No and yes... No, you really don't to 
open the ports, Yes you do if you want to specify which machines get 
access to the port. The export file or exportfs command limit which 
machines will be allowed to use NFS once they see the port. If you 
export to a reasonable subset of IP addresses most discussion I found 
indicates that you are probably safe from access to data, usual DOS 
attacks could be an issue.

So what's the scoop? See here:
   transport	ports
   UDP		2049, 111, 709, 706
   TCP		2049, 111, 709

Note that this was tested with a sniffer and a number of various 
machines and operating systems, seems to work with all of them. U was 
surprised to see that TCP with tcp_adv_win_size=5 and rsize=8192 was as 
fast as UDP, driving 449.1Mbit over gigE connection.

Hope this information is helpful to someone, I wanted to share it since 
people were trying to help me.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot