Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 03 Apr 2005 14:06:24 -0400
From:      Matt Juszczak <matt@atopia.net>
To:        =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPFILTER and NFS
Message-ID:  <425030A0.4000809@atopia.net>
In-Reply-To: <424FCDD3.6040507@locolomo.org>
References:  <424F8B94.7050006@atopia.net> <424FCDD3.6040507@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Problem is that I need to firewall the client.

I dont have access to the nfs server... only the client.  Your 
configuration info showed me making changes on the server.  is there a 
way to make the client work ok?

-Matt

Erik Nørgaard wrote:

> Matt Juszczak wrote:
>
>> Howdy,
>>
>> Trying to get IPFILTER and NFS working.  A google search didn't show 
>> much about my specific issue.  With ipfilter working, nfs initially 
>> works, until someone tries to login.  Then it stops working.  With my 
>> firewall down on the NFS-CLIENT machine, it works fine.  Any ideas?
>>
>> It appears to be an issue with random ports....
>
>
> It is, NFS is an RPC service where the RPC deamon is requested to for 
> info on which port mountd binds to. I wrote an howto for diskless 
> clients, www.daemonsecurity.com/pxe/ - here's what to do:
>
> Enable nfs in /etc/rc.conf:
>
>    rpcbind_enable="YES"          # Run the portmapper service (YES/NO).
>    nfs_server_enable="YES"       # This host is an NFS server (or NO).
>    mountd_enable="YES"           # Run mountd (or NO).
>    mountd_flags="-r -p 59"       # Force mountd to bind on port 59
>
> As a minimum you need to enable rpcbind, nfsserver and mountd. lockd 
> and statd provides file locking and status monitoring. By default, 
> when mountd starts it binds to some arbitrary port, and rpc is used to 
> discover which, making it imposible to firewall. With option '-p' 
> mountd can be forced to bind to a specific port. Port 59 is assigned 
> to "any private file service" (see /etc/services).
>
> This limits the number of ports relevant to 59, 111 and 2049. You 
> can't force lockd and statd to bind to specific ports (they are alos 
> RPC services) and AFAIK you can't have disk quotas work correctly 
> because of this.
>
> AFAIK NFS4 should address these problems, but the NFS4 server is still 
> experimental.
>
> Till then, RPC is a security nightmare.
>
> Erik

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?425030A0.4000809>