On Wednesday 04 October 2006 14:14, Michael Sullivan <[EMAIL PROTECTED]> wrote about '[gentoo-user] OT - NFS and port numbers': > How do I discover (or define) which port numbers NFS uses, and whether > they are TCP or UDP so that I can let them through my firewall?
Short Answer: You can't. Longer Answer: You can, but it's hard. NFS for better or worse, depends on a collection of RPC daemons, which generally use the portmapper service to bind to a random high port. Fortunately, you can pass these daemons some options and have them bind to a port of your choice, so that you can let connections on that port through the firewall. Per my /etc/services the core NFS service binds to well-known port 2049, so I started from there and added some entries to /etc/services (not strictly necessary, but some applications use it for port<->name mapping) and then tweaked my /etc/conf.d/nfs and /etc/sysctl.conf. After that, you should be able add some simple rules to your firewall. Here's the interesting parts of my versions of those files: [/etc/services] nfs 2049/tcp # Network File System nfs 2049/udp nfs-callback 2050/tcp nfs-callback 2050/udp nfs-nlm 2051/tcp nfs-nlm 2051/udp rpc-mountd 2052/tcp rpc-mountd 2052/udp rpc-statd 2053/tcp rpc-statd 2053/udp rpc-rquotad 2054/tcp rpc-rquotad 2054/udp [/etc/conf.d/nfs] RPCMOUNTDOPTS="-p 2052" RPCSTATDOPTS="-p 2053" RPCRQUOTADOPTS="-p 2054" [/etc/sysctl.conf] # TCP Port for lock manager fs.nfs.nlm_tcpport = 2051 # UDP Port for lock manager fs.nfs.nlm_udpport = 2051 # TCP Port for NFS callback fs.nfs.nfs_callback_tcpport = 2050 [/var/lib/iptables/rules-save] -A INPUT -i eth0 -p udp -m udp --dport 2049:2054 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 2049:2054 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 111 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT Looking over things again, it appears that the options I've given in /etc/conf.d/nfs were added to /etc/init.d/nfs by another administrator. In any case, you should be able to find where the various daemons are started in /etc/init.d/nfs and add the appropriate options there, but let me know if you need further assistance. Also, if you use the nfsmount service as well, be sure they start rpc.statd with the same options; I'm not sure why Gentoo doesn't have a separate rpc.statd service that nfs and nfsmount depend on. -- "If there's one thing we've established over the years, it's that the vast majority of our users don't have the slightest clue what's best for them in terms of package stability." -- Gentoo Developer Ciaran McCreesh
pgpdW9mOCsazX.pgp
Description: PGP signature
