Mercurial > hg > Blog
comparison content/Linux/nfs.md @ 98:1d9382b0329b
Specify the syntax on markdown blocks to avoid broken output that has class=err
| author | Dirk Olmes <dirk@xanthippe.ping.de> |
|---|---|
| date | Thu, 19 Dec 2019 10:04:33 +0100 |
| parents | 9693693301f2 |
| children |
comparison
equal
deleted
inserted
replaced
| 97:e99db3bc53c1 | 98:1d9382b0329b |
|---|---|
| 6 | 6 |
| 7 The main NFS setup is described [on the Gentoo wiki](https://wiki.gentoo.org/wiki/NFS) in sufficient detail. I had a bit of a headache getting NFS through my [Shorewall](http://www.shorewall.net/) based firefall, though. There is a good section on NFS security in the [NFS-HOWTO](http://tldp.org/HOWTO/NFS-HOWTO/security.html) which describes all the necessary bits. And the Gentoo config files have all the required settings in their comments, too. It turns out that all you have to do is to put some configuration into place and the NFS server will play nicely with the firewall: | 7 The main NFS setup is described [on the Gentoo wiki](https://wiki.gentoo.org/wiki/NFS) in sufficient detail. I had a bit of a headache getting NFS through my [Shorewall](http://www.shorewall.net/) based firefall, though. There is a good section on NFS security in the [NFS-HOWTO](http://tldp.org/HOWTO/NFS-HOWTO/security.html) which describes all the necessary bits. And the Gentoo config files have all the required settings in their comments, too. It turns out that all you have to do is to put some configuration into place and the NFS server will play nicely with the firewall: |
| 8 | 8 |
| 9 In `/etc/sysctl.conf` these settings: | 9 In `/etc/sysctl.conf` these settings: |
| 10 | 10 |
| 11 :::shell | |
| 11 fs.nfs.nlm_tcpport = 4001 | 12 fs.nfs.nlm_tcpport = 4001 |
| 12 fs.nfs.nlm_udpport = 4001 | 13 fs.nfs.nlm_udpport = 4001 |
| 13 | 14 |
| 14 In `/etc/conf.d/nfs` enable these settings: | 15 In `/etc/conf.d/nfs` enable these settings: |
| 15 | 16 |
| 17 :::shell | |
| 16 OPTS_RPC_MOUNTD="-p 32767" | 18 OPTS_RPC_MOUNTD="-p 32767" |
| 17 OPTS_RPC_STATD="-p 32765 -o 32766" | 19 OPTS_RPC_STATD="-p 32765 -o 32766" |
| 18 | 20 |
| 19 Now all NFS daemons should be locked down to specific ports so you can add appropriate shorewall rules: | 21 Now all NFS daemons should be locked down to specific ports so you can add appropriate shorewall rules: |
| 20 | 22 |
| 23 :::shell | |
| 21 ACCEPT loc fw tcp 111 # portmapper | 24 ACCEPT loc fw tcp 111 # portmapper |
| 22 ACCEPT loc fw udp 111 | 25 ACCEPT loc fw udp 111 |
| 23 ACCEPT loc fw tcp 2049 # rpc.nfsd | 26 ACCEPT loc fw tcp 2049 # rpc.nfsd |
| 24 ACCEPT loc fw udp 2049 | 27 ACCEPT loc fw udp 2049 |
| 25 ACCEPT loc fw tcp 4001 # kernel lockd | 28 ACCEPT loc fw tcp 4001 # kernel lockd |