1 |
On Wednesday 04 October 2006 14:14, Michael Sullivan |
2 |
<michael@××××××××××××.com> wrote about '[gentoo-user] OT - NFS and port |
3 |
numbers': |
4 |
> How do I discover (or define) which port numbers NFS uses, and whether |
5 |
> they are TCP or UDP so that I can let them through my firewall? |
6 |
|
7 |
Short Answer: You can't. |
8 |
Longer Answer: You can, but it's hard. NFS for better or worse, depends on |
9 |
a collection of RPC daemons, which generally use the portmapper service to |
10 |
bind to a random high port. Fortunately, you can pass these daemons some |
11 |
options and have them bind to a port of your choice, so that you can let |
12 |
connections on that port through the firewall. |
13 |
|
14 |
Per my /etc/services the core NFS service binds to well-known port 2049, so |
15 |
I started from there and added some entries to /etc/services (not strictly |
16 |
necessary, but some applications use it for port<->name mapping) and then |
17 |
tweaked my /etc/conf.d/nfs and /etc/sysctl.conf. After that, you should |
18 |
be able add some simple rules to your firewall. Here's the interesting |
19 |
parts of my versions of those files: |
20 |
|
21 |
[/etc/services] |
22 |
nfs 2049/tcp # Network File System |
23 |
nfs 2049/udp |
24 |
nfs-callback 2050/tcp |
25 |
nfs-callback 2050/udp |
26 |
nfs-nlm 2051/tcp |
27 |
nfs-nlm 2051/udp |
28 |
rpc-mountd 2052/tcp |
29 |
rpc-mountd 2052/udp |
30 |
rpc-statd 2053/tcp |
31 |
rpc-statd 2053/udp |
32 |
rpc-rquotad 2054/tcp |
33 |
rpc-rquotad 2054/udp |
34 |
|
35 |
[/etc/conf.d/nfs] |
36 |
RPCMOUNTDOPTS="-p 2052" |
37 |
RPCSTATDOPTS="-p 2053" |
38 |
RPCRQUOTADOPTS="-p 2054" |
39 |
|
40 |
[/etc/sysctl.conf] |
41 |
# TCP Port for lock manager |
42 |
fs.nfs.nlm_tcpport = 2051 |
43 |
# UDP Port for lock manager |
44 |
fs.nfs.nlm_udpport = 2051 |
45 |
# TCP Port for NFS callback |
46 |
fs.nfs.nfs_callback_tcpport = 2050 |
47 |
|
48 |
[/var/lib/iptables/rules-save] |
49 |
-A INPUT -i eth0 -p udp -m udp --dport 2049:2054 -j ACCEPT |
50 |
-A INPUT -i eth0 -p tcp -m tcp --dport 2049:2054 -j ACCEPT |
51 |
-A INPUT -i eth0 -p udp -m udp --dport 111 -j ACCEPT |
52 |
-A INPUT -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT |
53 |
|
54 |
Looking over things again, it appears that the options I've given |
55 |
in /etc/conf.d/nfs were added to /etc/init.d/nfs by another administrator. |
56 |
In any case, you should be able to find where the various daemons are |
57 |
started in /etc/init.d/nfs and add the appropriate options there, but let |
58 |
me know if you need further assistance. |
59 |
|
60 |
Also, if you use the nfsmount service as well, be sure they start rpc.statd |
61 |
with the same options; I'm not sure why Gentoo doesn't have a separate |
62 |
rpc.statd service that nfs and nfsmount depend on. |
63 |
|
64 |
-- |
65 |
"If there's one thing we've established over the years, |
66 |
it's that the vast majority of our users don't have the slightest |
67 |
clue what's best for them in terms of package stability." |
68 |
-- Gentoo Developer Ciaran McCreesh |