Please have a look at this document: http://www.lowth.com/LinWiz/nfs_help.html It describes a method to configure the components of a Linux-based NFS server so that NFS access can be controlled via a simple firewall that does not "understand" NFS. As an engineer using various firewall platforms, i often saw the need for a similar solution, in situations when the firewalls being used could not control complex protocols such as NFS. Sometimes the firewall helps you and gives you a way to manage such protocols, some other times it doesn't. The document seems to be geared towards older Red Hat versions, but perhaps it is still actual for recent Fedora distributions. The techniques described require editing scripts in /etc/init.d and so on. That it typically considered something to avoid in production environments. I think it would be great to add "hooks" to the init.d scripts (or something like that) so that such a change can be made in a cleaner fashion. Say, add stuff in /etc/sysconfig for the sysadmin to modify in order to achieve the same effect. For example, add some variables, containing the port numbers for the various portmap/nfs components, in a file in /etc/sysconfig: STATD_PORT="4000" LOCKD_PORT="4001" MOUNTD_PORT="4002" RQUOTAD_PORT="4003" # set this to 1 to enforce using the unique NFS ports FORCE_NFS_UNIQUE_PORTS="0" Or something along these lines - it does not have to be in /etc/sysconfig. Any mechanism that will allow the sysadmin to "flip a switch" and make NFS play well with firewalls would be great. Thank you, -- Florin Andrei http://florin.myip.org/
