Firewall and nfs mounts

Bill Davidsen davidsen at tmr.com
Tue Aug 25 18:27:38 UTC 2009 

Anne Wilson wrote:
> On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote:
>> Anne Wilson wrote:
>>> On Monday 24 August 2009 15:44:20 Bill McGonigle wrote:
>>>> On 08/24/2009 08:15 AM, Anne Wilson wrote:
>>>>> What ports are necessarily opened on an nfs server?  Does the client
>>>>> need any ports opened?
>>>> If you can limit yourself to NFSv4 you're much better off in this
>>>> department.  I have this on an NFSv4 server:
>>>>
>>>> # NFS
>>>>   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source
>>>> 192.168.1.32/27 --dport 2049 -j ACCEPT
>>>>
>>>> and nothing on a working client other than the standard:
>>>>
>>>>   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> Thanks.  That's something to work on.  Although I have had a working
>>> firewall in the past, I'm not really familiar with iptables setup.  Since
>>> a gui tool was provided I expected it to do the necessary (this is
>>> system-config- securitylevels on CentOS) but it doesn't.  I used
>>> shorewall to set up my firewall long ago, and I'm beginning to think I
>>> might be better of seeing if there's a package for CentOS.  Gui tools
>>> seem nice, but I don't like the fact that they rarely tell you what the
>>> are and aren't doing.
>> When it comes to a shorewall package for CentOS or RHEL you can enable
>> the EPEL repository https://fedoraproject.org/wiki/EPEL
>>
> Thanks, Ed.  I should be able to get to that tomorrow.  The thing is that I 
> only want nfs across the lan.  The router would stop any external attempts to 
> use nfs mounting, so it seems to me that trusting the local zone might be all 
> that's needed.  I think that is straightforward, IIRC, in shorewall.
> 
For internal use the "insecure" option may be all you need. I export some things 
from various servers, attached is a little part of the process, a function to do 
the export by bind mounting directories into the "/export" space then exporting 
from there. That way any moves of the "real" location are hidden, clients always 
mount a short name.

Note that this attachment has been cleansed a bit of addresses and comments, 
take as an example to test before use.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: do_exports
Url: http://lists.fedoraproject.org/pipermail/users/attachments/20090825/0da6b69a/attachment-0001.pl

More information about the users mailing list