because this is still an issue 15 years later from:
https://web.archive.org/web/20140906175220/http://www.lowth.com/LinWiz/nfs_help.html
Configuring NFS under Linux for Firewall control
By: Chris Lowth <chris@lowth.com>
Date: April 25th 2003
Date: April 25th 2003
Looking for Iptables configuration assistance?
If you have been directed to this page because you are searching for general assitance in configuring IPTABLES, Then Click here to try "LinWiz", an on-line IPtables configurator that does the hard work for you. Answer a few simple questions and LinWiz will generate your IPtables rules file for you to download.
|
Platforms
This document has been written with reference to RedHat 7.x and 8.x systems but is appropriate for other Linux distributions. The author warmly invites comments, corrections and (in particular) news of using this approach on other Linuxes.
Follow-up contributions.
I have received numerous mails since writing this article, some of which include more information which may be of general use. Thanks to the authors for permission to reproduce their comments here..
Introduction.
When setting up IPTABLES firewalling for Linux systems running the NFS service (network file system), you hit the problem that some of the TCP/IP and UDP ports used by components of the service are randomly generated as part of the “SunRPC” mechanism.
This document is part of the LinWiz tool kit, and describes how to set up NFS in such a way that meaningful firewall rules can be applied to the system.
The LinWiz toolkit.
LinWiz is a free-to-use on-line Linux IPTables configuration wizard, designed for novices and experts alike. LinWiz presents a simple, single-page questionaire for you to fill in, and then generates a personalised iptable configuration file for download onto the Linux server, firewall or router/gateway.
Click here to use this software on line.
Viewing the used ports.
On a system that is up and running with the NFS service active, the ports used by the components of the service can be listed using the command “rpcinfo -p”. The output will look something like this...
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32814 status 100024 1 tcp 33024 status 100011 1 udp 670 rquotad 100011 2 udp 670 rquotad 100011 1 tcp 673 rquotad 100011 2 tcp 673 rquotad 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100021 1 udp 32816 nlockmgr 100021 3 udp 32816 nlockmgr 100021 4 udp 32816 nlockmgr 100005 1 udp 32818 mountd 100005 1 tcp 33025 mountd 100005 2 udp 32818 mountd 100005 2 tcp 33025 mountd 100005 3 udp 32818 mountd 100005 3 tcp 33025 mountd
This listing shows the IP ports for the various versions of the service used in the 4th column. If you view this listing on different systems (or even after rebooting the same one) you may well find that the port numbers are different – this is a real problem when configing firewalls, which tend to assume that known port numbers are used for the services being configured.
Setting up NFS to use fixed IP ports.
To make it possible to configure a firewall that controls NFS, it is useful to be able to “tie” down the ports used by these services to fixed values. Luckily this is possible in RedHat Linux versions 7 and 8 (and, I suspect; other linux distributions), although the methods for setting these port numbers are different for each of the daemons.
The following table lists the NFS daemons and summarises the relevant information for them. The sections that follow give more detail.
Daemon Name
|
RPM
|
Standard Port
|
Suggested Port
|
What to Change
|
---|---|---|---|---|
portmap
|
portmap
|
111
|
111
|
Nothing
|
rpc.statd
|
nfs-utils
|
Random
|
4000
|
Edit /etc/init.d/nfslock
|
rpc.nfsd
|
nfs-utils
|
2049
|
2049
|
Nothing
|
rpc.lockd
|
nfs-utils & kernel
|
Random
|
4001
|
Edit /etc/modules.conf
|
rpc.mountd
|
nfs-utils
|
Random
|
4002
|
Create or Edit /etc/sysconfig/nfs
|
rpc.rquotad
|
quota
|
Random
|
4003
|
Install "quota" package version 3.08 or later
and edit /etc/rpc and /etc/services |
Portmapper [Standard port: 111]
The portmapper is implemented by the “portmap” program which is part of the “portmap” RPM package. The service uses port 111 on both the TCP and UDP protocols.
Portmapper provides the mapping between application names and IP ports, and is therefore analogous to the /etc/service file except that it relates to RPC programs only.
Firewall rules that refer to portmapper should refer to TCP/IP and UDP packets on port 111.
Status [Random port. Suggestion: 4000]
The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnamed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.
The rpc.statd program is part of the “nfs-utils” RPM package.
While rpc.statd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done as follows ..
Edit the file /etc/init.d/nfslock and change the “start()” procedure to add “-p” and a port number to the line “daemon rpc.statd”. The changed procedure looks like this (this change is coloured in red)..
start() {
# Start daemons.
if [ "$USERLAND_LOCKD" ]; then
echo -n $"Starting NFS locking: "
daemon rpc.lockd
echo
fi
echo -n $"Starting NFS statd: "
daemon rpc.statd -p 4000
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/nfslock
return $RETVAL
}
Once the above change has been made, firewall rules should refer to TCP/IP and UDP packets on the chosen port. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).
NFS Daemon [Standard port: 2049]
The rpc.nfsd program implements the user level part of the NFS service. The main functionality is handled by the nfsd.o kernel module; the user space program merely starts the specified number of kernel threads.
The rpc.nfsd program normally listens on port number 2049, so firewall rules can be created to refer to that port (unless it is changed from the default value). (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).
NFS Lock Manager [Random port. Suggestion: 4001]
The NFS lock manager is a kernel module. It implements the NLM (NFS Lock Manager) part of the NFS subsystem, used for handling file and resource locks of various types. This component is sometimes referred to "rpc.lockd", and shows up in the output of rpcinfo as "nlockmgr"(hey - consistancy would only make life booring!).
On systems where the lock manager is implemented as a loadable module the port number used is set at module load time, and so is configured by adding (or editting) a line in the /etc/modules.conf file, as follows..
options lockd nlm_udpport=4001 nlm_tcpport=4001
This sets the udp and tcp/ip port numbers. Conventionally, these two numbers should be set to the same value.
If your system has the lockd code compiled into the main kernel binary rather than as a loadable module, then the settings in modules.conf wont work. You need to add the parameters "lockd.udpport=4001 lockd.tcpport=4001" to the kernel command line in the lilo or grub configuration instead.
Note on the linux kernel versions before 2.4.12: - the handling of these parameters was introduced into linux kernel version 2.4.11. But since 2.4.11 is flagged as a "dont use" release, you should verify that your system has kernel 2.4.12 or later installed in order for this to work. Use the command "uname -a" to see the kernel version you are running.
To fix the port used by the NFS Lock Manager, add a line (as above) to /etc/modules.conf or lilo.conf (or grub.conf) as appropriate, and configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).
mountd [Random port. Suggestion: 4002]
The rpc.mountd program implements the NFS mount protocol. When receiving a MOUNT request from an NFS client, it checks the request againstthe list of currently exported file systems. If the client is permitted to mount the file system, rpc.mountd obtains a file handle for requested directory and returns it to the client.
While rpc.mountd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editting or creating the file /etc/sysconfig/nfs and adding the following line..
MOUNTD_PORT=4002
Once this edit has been made, configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).
rquotad [Random port. Suggestion: 4003]
rquotad is an rpc(3N) server which returns quotas for a user of a local filesystem which is mounted by a remote machine over the NFS. It also allows setting of quotas on NFS mounted filesystem. The results are used by quota(1) to display user quotas for remote filesystems and by edquota(8) to set quotas on remote filesystems. The rquotad daemon is normally started at boot time from the system startup scripts.
There are two versions of rpc.rquotad that are commonly used with linux systems, one is part of the nfs utilities, and the other comes bundled with the "quota" package. RedHat 7.x and 8.x use the "quota" package - sadly, the version they use does not have any built-in mechanism for tying down the port. Happily - version 3.08 of the quota tools package DOES allow this.
The home page of the linuxquota project is at: http://sourceforge.net/projects/linuxquota. To obtain the software, vistit the site, download the sources and build them on your platform. If you have RedHat 8.0, then you can download the RPMs from my web site, and install.
To use this package to update the existing one..
- First verify that your system is not already running "quota" version 3.08 or later (RedHat may have provided the up-to-date version since this document was written).
- Download the quota rpm from my web site.
- Install in "update" mode by using the command: rpm -Uhv quota-3.08-1.rpm
Once the updated "quota" package is installed, you can "fix" the port used by rpc.rquotad as follows..
- Check that the following line is present in the file /etc/rpc. It should be there, but if isnt, then add it yourself. NB: the number "100011" is NOT the portnumber but the fixed RPC program number - It is important that you dont change it.
- rquotad 100011 rquotaprog quota rquota
- Add (or modify) the following two lines to the /etc/services file (replacing the number 4003 with the port number you want rpc.rquotad to listen on).
- rquotad 4003/tcp
- rquotad 4003/udp
Once thes changes have been made, configure the firewall to manage the port numbers selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).
No comments:
Post a Comment