I want to export NFS from my SAN to some machines in my DMZ, which are in a different VLAN. To ensure only the NFS ports are visible, I want to use host-based firewall (IPF) to block all other ports, which is easy to do since I can specify the VLAN interface in the IPF rules.
Unfortunately, I use OpenBSD in the DMZ and it does not support NFSv4, so I have to use V3 instead, which entails having to deal with `mountd` random ports. I'd rather not open ports 2^15 - 2^16-1, and noticed that the ports reported by `rpcinfo -p localhost | grep mountd` only change each time I execute `svcadm restart svc:/network/nfs/server:default`.
I'm wondering how easy it might be to dynamically update the IPF rules immediately after `svcadm restart svc:/network/nfs/server:default` is executed? - is there an SMF trick that doesn't involve hacking /lib/svc/manifest/network/nfs/server.xml?
Would the best approach be to create a new SMF service definition in |/etc/svc/profile/site |that depends on svc:/network/nfs/server:default? Has anybody dynamically updated IPF rules like this before? - any gotchas to be aware of?
Thanks, Kent || ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
