Firewall and nfs mounts

Anne Wilson annew at
Wed Aug 26 12:43:54 UTC 2009

On Tuesday 25 August 2009 19:27:38 Bill Davidsen wrote:
> Anne Wilson wrote:
> > On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote:
> >> Anne Wilson wrote:
> >>> On Monday 24 August 2009 15:44:20 Bill McGonigle wrote:
> >>>> On 08/24/2009 08:15 AM, Anne Wilson wrote:
> >>>>> What ports are necessarily opened on an nfs server?  Does the client
> >>>>> need any ports opened?
> >>>>
> >>>> If you can limit yourself to NFSv4 you're much better off in this
> >>>> department.  I have this on an NFSv4 server:
> >>>>
> >>>> # NFS
> >>>>   -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source
> >>>> --dport 2049 -j ACCEPT
> >>>>
> >>>> and nothing on a working client other than the standard:
> >>>>
> >>>>   -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>
> >>> Thanks.  That's something to work on.  Although I have had a working
> >>> firewall in the past, I'm not really familiar with iptables setup. 
> >>> Since a gui tool was provided I expected it to do the necessary (this
> >>> is system-config- securitylevels on CentOS) but it doesn't.  I used
> >>> shorewall to set up my firewall long ago, and I'm beginning to think I
> >>> might be better of seeing if there's a package for CentOS.  Gui tools
> >>> seem nice, but I don't like the fact that they rarely tell you what the
> >>> are and aren't doing.
> >>
> >> When it comes to a shorewall package for CentOS or RHEL you can enable
> >> the EPEL repository
> >
> > Thanks, Ed.  I should be able to get to that tomorrow.  The thing is that
> > I only want nfs across the lan.  The router would stop any external
> > attempts to use nfs mounting, so it seems to me that trusting the local
> > zone might be all that's needed.  I think that is straightforward, IIRC,
> > in shorewall.
> For internal use the "insecure" option may be all you need. I export some
> things from various servers, attached is a little part of the process, a
> function to do the export by bind mounting directories into the "/export"
> space then exporting from there. That way any moves of the "real" location
> are hidden, clients always mount a short name.
> Note that this attachment has been cleansed a bit of addresses and
> comments, take as an example to test before use.

Thanks, Bill.  I'll study it.

New to KDE4? - get help from
Just found a cool new feature?  Add it to UserBase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : 

More information about the users mailing list