Firewall and nfs mounts
Anne Wilson
annew at kde.org
Wed Aug 26 12:43:54 UTC 2009
On Tuesday 25 August 2009 19:27:38 Bill Davidsen wrote:
> Anne Wilson wrote:
> > On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote:
> >> Anne Wilson wrote:
> >>> On Monday 24 August 2009 15:44:20 Bill McGonigle wrote:
> >>>> On 08/24/2009 08:15 AM, Anne Wilson wrote:
> >>>>> What ports are necessarily opened on an nfs server? Does the client
> >>>>> need any ports opened?
> >>>>
> >>>> If you can limit yourself to NFSv4 you're much better off in this
> >>>> department. I have this on an NFSv4 server:
> >>>>
> >>>> # NFS
> >>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source
> >>>> 192.168.1.32/27 --dport 2049 -j ACCEPT
> >>>>
> >>>> and nothing on a working client other than the standard:
> >>>>
> >>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>
> >>> Thanks. That's something to work on. Although I have had a working
> >>> firewall in the past, I'm not really familiar with iptables setup.
> >>> Since a gui tool was provided I expected it to do the necessary (this
> >>> is system-config- securitylevels on CentOS) but it doesn't. I used
> >>> shorewall to set up my firewall long ago, and I'm beginning to think I
> >>> might be better of seeing if there's a package for CentOS. Gui tools
> >>> seem nice, but I don't like the fact that they rarely tell you what the
> >>> are and aren't doing.
> >>
> >> When it comes to a shorewall package for CentOS or RHEL you can enable
> >> the EPEL repository https://fedoraproject.org/wiki/EPEL
> >
> > Thanks, Ed. I should be able to get to that tomorrow. The thing is that
> > I only want nfs across the lan. The router would stop any external
> > attempts to use nfs mounting, so it seems to me that trusting the local
> > zone might be all that's needed. I think that is straightforward, IIRC,
> > in shorewall.
>
> For internal use the "insecure" option may be all you need. I export some
> things from various servers, attached is a little part of the process, a
> function to do the export by bind mounting directories into the "/export"
> space then exporting from there. That way any moves of the "real" location
> are hidden, clients always mount a short name.
>
> Note that this attachment has been cleansed a bit of addresses and
> comments, take as an example to test before use.
Thanks, Bill. I'll study it.
Anne
--
New to KDE4? - get help from http://userbase.kde.org
Just found a cool new feature? Add it to UserBase
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090826/80aa56b2/attachment-0001.bin
More information about the users
mailing list