2009/3/28 Jonathan Ryshpan <jonrysh@xxxxxxxxxxx>: > On Fri, 2009-03-27 at 21:22 +0000, Sharpe, Sam J wrote: >> If you're firewalling NFS, you might want to also look at locking >> services to particular ports and opening them on your firewall: >> [sam@machine ~]$ sudo cat /etc/sysconfig/nfs >> MOUNTD_PORT=4001 >> LOCKD_TCPPORT=4002 >> LOCKD_UDPPORT=4003 >> STATD_PORT=4004 >> RQUOTAD_PORT=4005 >> >> Otherwise, the assignment of ports for RPC services is random, which >> creates a slight firewall issue... > > You are exactly right on both counts. Port 111/tcp and 111/udp have to > be opened to allow sunrpc to work. Moreover nfs and its friends must be > set to fixed ports and these ports opened for nfs to work. I have used > different ports from the ones you recommend, since there may be some > conflicts between them and the standard port assignments. Those weren't really "recommendations" - they were pasted from a production system that serves NFS across a firewall and I was assigned the ports by the people who run the firewall - so essentially they are random choices! > BTW: Would it be a good idea to close port 111, since sunrpc has been > reported as a security problem? See: > http://www.iss.net/security_center/advice/Services/SunRPC/default.htm > Or is sunrpc needed for other functions of nfs? It depends if you want to configure all your clients with the ports you have assigned. What is supposed to happen is that a client talks to the server's portmapper (sunrpc as you call it) and says "what port will I find your mountd service on?" and then goes away to talk to use that port. If you don't somehow (and I don't know this off the top of my head) tell all your clients what those ports are, then certain things won't work. NFS might be fine, but you probably won't have working quotas, locks, or a valid list of connected clients in showmount. Also, I don't think the service responding to port 111 on a Fedora machine is technically sunrpc any more: [sam@machine ~]$ rpm -qif /etc/init.d/rpcbind Name : rpcbind Relocations: (not relocatable) Version : 0.1.7 Vendor: Fedora Project Release : 1.fc10 Build Date: Thu 20 Nov 2008 16:59:01 GMT <snip> URL : http://nfsv4.bullopensource.org Summary : Universal Addresses to RPC Program Number Mapper Description : The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. -- Sam -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
