well looking at svccfg for nfs/server I have:
firewall_context/ipf_method astring "/lib/svc/method/nfs-server
ipfilter"
and in /lib/svc/method/nfs-server under the "ipfilter" section I have:
# NFS related services are RPC. nfs/server has nfsd which has
# well-defined port number but mountd is an RPC daemon.
#
# Essentially, we generate rules for the following "services"
# - nfs/server which has nfsd and mountd
# - nfs/rquota
#
# The following services are enabled for both nfs client and
# server so we'll treat them as client services and simply
# allow incoming traffic.
# - nfs/status
# - nfs/nlockmgr
# - nfs/cbd
and:
tports=`$SERVINFO -R -p -t -s "mountd" 2>/dev/null`
if [ -n "$tports" ]; then
for tport in $tports; do
generate_rules $FMRI $policy "tcp" $ip \
$tport $file
done
fi
uports=`$SERVINFO -R -p -u -s "mountd" 2>/dev/null`
if [ -n "$uports" ]; then
for uport in $uports; do
generate_rules $FMRI $policy "udp" $ip \
$uport $file
done
fi
does this not work for you as expected?
On 17 October 2013 05:06, Kent Watsen <[email protected]> wrote:
>
> I want to export NFS from my SAN to some machines in my DMZ, which are in
> a different VLAN. To ensure only the NFS ports are visible, I want to use
> host-based firewall (IPF) to block all other ports, which is easy to do
> since I can specify the VLAN interface in the IPF rules.
>
> Unfortunately, I use OpenBSD in the DMZ and it does not support NFSv4, so
> I have to use V3 instead, which entails having to deal with `mountd` random
> ports. I'd rather not open ports 2^15 - 2^16-1, and noticed that the ports
> reported by `rpcinfo -p localhost | grep mountd` only change each time I
> execute `svcadm restart svc:/network/nfs/server:**default`.
>
> I'm wondering how easy it might be to dynamically update the IPF rules
> immediately after `svcadm restart svc:/network/nfs/server:**default` is
> executed? - is there an SMF trick that doesn't involve hacking
> /lib/svc/manifest/network/nfs/**server.xml?
>
> Would the best approach be to create a new SMF service definition in
> |/etc/svc/profile/site |that depends on svc:/network/nfs/server:**default?
> Has anybody dynamically updated IPF rules like this before? - any
> gotchas to be aware of?
>
> Thanks,
> Kent
> ||
>
>
> ------------------------------**-------------
> illumos-discuss
> Archives:
> https://www.listbox.com/**member/archive/182180/=now<https://www.listbox.com/member/archive/182180/=now>
> RSS Feed: https://www.listbox.com/**member/archive/rss/182180/**
> 23508059-3f15f76a<https://www.listbox.com/member/archive/rss/182180/23508059-3f15f76a>
> Modify Your Subscription: https://www.listbox.com/**
> member/?&id_**secret=23508059-af2a37cf<https://www.listbox.com/member/?&;>
> Powered by Listbox: http://www.listbox.com
>
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be
Modify Your Subscription:
https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4
Powered by Listbox: http://www.listbox.com
