NFS shared directory permission (rhel6)

夜神 岩男 supergiantpotato at yahoo.co.jp
Wed Aug 3 04:49:19 UTC 2011 

On 08/03/2011 04:57 AM, Steve Searle wrote:
> Around 05:51pm on Tuesday, August 02, 2011 (UK time), Tom H scrawled:
>
>> On Mon, Aug 1, 2011 at 8:57 AM, Steve Searle<steve at stevesearle.co.uk>  wrote:
>>>
>>> I know. If you read my website it says that the firewall can cause a
>>> file to be read-only.
>>
>> Which firewall settings cause NFS exports to be ro?
>
> I already pointed to the webpage. Its here:
> http://www.stevesearle.com/tech/faq.html#nfs0010
>
> I'm not going to rewrite it in an email

This is not what I have experienced with NFSv4. NFSv3 had specific port 
requirements for random rpc daemons, but with NFSv4 you only need TCP 
2049 open (or whatever you set it to) -- that was one of the more 
tangible improvements over the previous versions.

And this is what I meant about documentation on the subject being 
generally out of date or not accurate as per the current Linux standard 
(as in, not Solaris circa 2001 documentation...).

The following iptables were exported from a server running SSH (tcp 22) 
OpenLDAP (tcp 389), NFSv4 (tcp 2049) and Kerberos KDC/Kadmin (88 and 
749). This server provides rw exports with authenticated rw file 
permissions and correct SELinux contexts for several shares:

# Generated by iptables-save v1.4.7 on Wed Aug  3 13:41:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4538677:6498063300]
-A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m udp --dport 88 -j ACCEPT
-A INPUT -p udp -m udp --dport 749 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 749 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Aug  3 13:41:04 2011

-Iwao

More information about the users mailing list