On July 2, 2004 12:18 pm, bruce wrote: > pete.... > > ok.. it looks like i have it working for now... > > but it appears that i'm going to have to make some changes to the > /etc/rc.d/init.d/nfs script. it appears that the associated processes for > nfs have ports that need to be accounted for in the iptables. > > in particular the processes statd, mountd, quotad.... > > the iptables that i created for the nfs server is below... > > i'm going to need to know how to modify the nfs script to lock the ports > for the processes down, as these processes apparently use random ports... > but i'm not sure how to make the changes to the nfs script... > > > currently used iptable for nfs server... > # Firewall configuration written by lokkit > # Manual customization of this file is not recommended. > # Note: ifup-post will punch the current nameservers through the > # firewall; such entries will *not* be listed here. > *filter > > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Lokkit-0-50-INPUT - [0:0] > > -A INPUT -j RH-Lokkit-0-50-INPUT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth0 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport > 67:68 -i eth1 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT > ### > ### nfs related stuff... > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 32768:32770 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 32768:32770 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 111 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 111 -j ACCEPT > > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j ACCEPT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT > -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT > COMMIT > > > > i've seen the following docs:. > <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > The other daemons, statd, mountd, lockd, and rquotad, will normally move > around to the first available port they are informed of by the portmapper. > > To force statd to bind to a particular port, use the -p portnum option. To > force statd to respond on a particular port, additionally use the -o > portnum option when starting it. > > (ok... but how do i find the process that starts the statd process. is this > the /etc/rc.d/init.d/nfs script?????? ) > > To force mountd to bind to a particular port use the -p portnum option. > > For example, to have statd broadcast of port 32765 and listen on port > 32766, and mountd listen on port 32767, you would type: > > # statd -p 32765 -o 32766 > # mountd -p 32767 > > > lockd is started by the kernel when it is needed. Therefore you need to > pass module options (if you have it built as a module) or kernel options to > force lockd to listen and respond only on certain ports. > > If you are using loadable modules and you would like to specify these > options in your /etc/modules.conf file add a line like this to the file: > > options lockd nlm_udpport=32768 nlm_tcpport=32768 > > > The above line would specify the udp and tcp port for lockd to be 32768. > > If you are not using loadable modules or if you have compiled lockd into > the kernel instead of building it as a module then you will need to pass it > an option on the kernel boot line. > > It should look something like this: > > vmlinuz 3 root=/dev/hda1 lockd.udpport=32768 lockd.tcpport=32768 > > > The port numbers do not have to match but it would simply add unnecessary > confusion if they didn't. > <<<<<<<<<<<<<<<<<<===========================>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > my copy of the /etc.../nfs script doesn't have "statd"... should i add > it??? also, how do i know if i'm using "loadable modules", or if the kernel > had lockd compiled... and if i do need to pass the options in as boot > parameters, where/how would i do this... what file would i have to > edit...????? > Bruce, You shouldn't have to mess with the nfs init script. You should not need all the extra nfs entries in your iptables, but probably only need to add: -A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT t this point it may also mbe worth grabbing an iptables frontend like firestarter ( http://firestarter.sourceforge.net ) or build your own init script. I know you are going to have the fw set up properly soon, but this seems like a strange approach (editing this file), oh well, we got this far... -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
