Re: Re: Firewall and nfs mounts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Anne Wilson wrote, On 12/23/-28158 02:59 PM:

On Tuesday 25 August 2009 00:16:28 Ed Greshko wrote:

Anne Wilson wrote:

On Monday 24 August 2009 15:44:20 Bill McGonigle wrote:

On 08/24/2009 08:15 AM, Anne Wilson wrote:

What ports are necessarily opened on an nfs server?  Does the client
need any ports opened?

If you can limit yourself to NFSv4 you're much better off in this
department.  I have this on an NFSv4 server:

# NFS
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source
192.168.1.32/27 --dport 2049 -j ACCEPT

and nothing on a working client other than the standard:

  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Thanks.  That's something to work on.  Although I have had a working
firewall in the past, I'm not really familiar with iptables setup.  Since
a gui tool was provided I expected it to do the necessary (this is
system-config- securitylevels on CentOS) but it doesn't.  I used
shorewall to set up my firewall long ago, and I'm beginning to think I
might be better of seeing if there's a package for CentOS.  Gui tools
seem nice, but I don't like the fact that they rarely tell you what the
are and aren't doing.

When it comes to a shorewall package for CentOS or RHEL you can enable
the EPEL repository https://fedoraproject.org/wiki/EPEL
Thanks, Ed. I should be able to get to that tomorrow. The thing is that I only want nfs across the lan. The router would stop any external attempts to use nfs mounting, so it seems to me that trusting the local zone might be all that's needed. I think that is straightforward, IIRC, in shorewall. 

Anne


Anne,
If you are using NFS V2/3 instead of 4 (TCP) then the following might be as useful to you as it was to me. :) 
http://kbase.redhat.com/faq/docs/DOC-3259
Of course if you had time/inclination you would be using something other than the 10000-10005 range where everyone will now be looking for your NFS, if they could only find a way to get past your router. :) 

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux