Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 03 Apr 2005 13:04:51 +0200
From:      =?ISO-8859-1?Q?Erik_N=F8rgaard?= <norgaard@locolomo.org>
To:        Matt Juszczak <matt@atopia.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFILTER and NFS
Message-ID:  <424FCDD3.6040507@locolomo.org>
In-Reply-To: <424F8B94.7050006@atopia.net>
References:  <424F8B94.7050006@atopia.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Matt Juszczak wrote:
> Howdy,
> 
> Trying to get IPFILTER and NFS working.  A google search didn't show 
> much about my specific issue.  With ipfilter working, nfs initially 
> works, until someone tries to login.  Then it stops working.  With my 
> firewall down on the NFS-CLIENT machine, it works fine.  Any ideas?
> 
> It appears to be an issue with random ports....

It is, NFS is an RPC service where the RPC deamon is requested to for 
info on which port mountd binds to. I wrote an howto for diskless 
clients, www.daemonsecurity.com/pxe/ - here's what to do:

Enable nfs in /etc/rc.conf:

    rpcbind_enable="YES"          # Run the portmapper service (YES/NO).
    nfs_server_enable="YES"       # This host is an NFS server (or NO).
    mountd_enable="YES"           # Run mountd (or NO).
    mountd_flags="-r -p 59"       # Force mountd to bind on port 59

As a minimum you need to enable rpcbind, nfsserver and mountd. lockd and 
statd provides file locking and status monitoring. By default, when 
mountd starts it binds to some arbitrary port, and rpc is used to 
discover which, making it imposible to firewall. With option '-p' mountd 
can be forced to bind to a specific port. Port 59 is assigned to "any 
private file service" (see /etc/services).

This limits the number of ports relevant to 59, 111 and 2049. You can't 
force lockd and statd to bind to specific ports (they are alos RPC 
services) and AFAIK you can't have disk quotas work correctly because of 
this.

AFAIK NFS4 should address these problems, but the NFS4 server is still 
experimental.

Till then, RPC is a security nightmare.

Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?424FCDD3.6040507>