Re: NFS shared directory permission (rhel6)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/03/2011 04:57 AM, Steve Searle wrote:
> Around 05:51pm on Tuesday, August 02, 2011 (UK time), Tom H scrawled:
>
>> On Mon, Aug 1, 2011 at 8:57 AM, Steve Searle<steve@xxxxxxxxxxxxxxxxx>  wrote:
>>>
>>> I know. If you read my website it says that the firewall can cause a
>>> file to be read-only.
>>
>> Which firewall settings cause NFS exports to be ro?
>
> I already pointed to the webpage. Its here:
> http://www.stevesearle.com/tech/faq.html#nfs0010
>
> I'm not going to rewrite it in an email

This is not what I have experienced with NFSv4. NFSv3 had specific port 
requirements for random rpc daemons, but with NFSv4 you only need TCP 
2049 open (or whatever you set it to) -- that was one of the more 
tangible improvements over the previous versions.

And this is what I meant about documentation on the subject being 
generally out of date or not accurate as per the current Linux standard 
(as in, not Solaris circa 2001 documentation...).

The following iptables were exported from a server running SSH (tcp 22) 
OpenLDAP (tcp 389), NFSv4 (tcp 2049) and Kerberos KDC/Kadmin (88 and 
749). This server provides rw exports with authenticated rw file 
permissions and correct SELinux contexts for several shares:

# Generated by iptables-save v1.4.7 on Wed Aug  3 13:41:04 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4538677:6498063300]
-A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
-A INPUT -p udp -m udp --dport 88 -j ACCEPT
-A INPUT -p udp -m udp --dport 749 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 749 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Aug  3 13:41:04 2011

-Iwao
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux