 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Sat, 12 Mar 2011 13:10:22 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
On Sat, Mar 12, 2011 at 11:31 AM, Alec T. Habig
<[log in to unmask]> wrote:
>
> I was poking at this yesterday myself with no success, so would love to
> know what the answer is.
>
> This is especially important since by default, iptables is installed and
> active, and AFAIK the only way for nfs to coexist with iptables is use
> nfs4. So out of the box, nfs doesn't work unless one disables a
> security tool, aside from the issue that nfs4 is designed to have a much
> higher level of security than the older versions, such that we really
> should all be using it exclusively anyway.
You can firewall an nfsv3 box. You have to set static ports in
"/etc/sysconfig/nfs" and allow access to those ports in iptables.
You can use nfsv4 only (meaning set RPCNFSDARGS="-N 2 -N 3" and
MOUNTD_NFS_V1="no", MOUNTD_NFS_V2="no", in "/etc/sysconfig/nfs")
You have to keep MOUNTD_NFS_V3="no" commented out though because nfsd
needs mountd locally.
You then only need to open ports 111 and 2049 iptables and can
disallow access to the ports of the other "nfs daemons".
|
|
|
