Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Apr 2008 10:39:50 -0600
From:      darren kirby <bulliver@badcomputer.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: nfs & firewall, hard vs soft mount
Message-ID:  <200804241039.50339.bulliver@badcomputer.org>
In-Reply-To: <aec9371b0804240835x71dc4b98h78bd6c0258c8fb2d@mail.gmail.com>
References:  <aec9371b0804240835x71dc4b98h78bd6c0258c8fb2d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
quoth the Colin Brace:
> Hi all,
>
> I have a FreeBSD v7 box set up as gateway/mailserver/WAP. I leave my WAP
> unencrypted, so my neighbors can use it, and use PF to allow just a few
> specific services (dhcp dns, http, https).
>
> I'd like to be able to mount a couple of NFS shares from a desktop box
> running Fedora on a wireless client. I've opened  the sunrpc and nfs ports
> in PF, but that doesn't seem to be enough. tcpdump indicates some high upd
> ports in the 40k-50k range are used in the nfs negotiation, but I can't
> figure out exactly what is going on. Does anyone know what additional ports
> need to be opened for nfs? Will I need to use PF to redirect this udf
> traffic to the fedora host or will it find the nfs server on its own?

'rpcinfo -p <server>' will show the ports/proto you need open. However, it 
should change some each time because rpc.mountd, rpc.statd, and lockd assign 
ports dynamically. You can set a few NFS options to lock these down:

Eg:
RPCMOUNTDOPTS="-p 4002"
RPCSTATDOPTS="-p 4000"

Sadly, I have only ever run an NFS server on Linux, so I do not know if there 
is a config to set these, or if you have to add the '-p n' to the startup 
scripts directly.

Also, On Linux you must set the lockd port at boot time. Perhaps there is a 
sysctl for this on FreeBSD?

HTH
-d
-- 
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804241039.50339.bulliver>