Thanks a lot for your quick reply and the links therein. Actually I did find (and read) those references before, but this introductory page http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html#s1-nfs-how contains a statement like: "NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires an rpcbind service, ..." which made me wonder whether the steps treating the ports dynamically assigned by rpcbind might not be relevant if only NFS4 is in use.
Oliver ================================================ PD Dr. Oliver H. Weiergräber Institute of Complex Systems ICS-6: Structural Biochemistry Tel.: +49 2461 61-2028 Fax: +49 2461 61-1448 ================================================ ________________________________________ From: [email protected] [[email protected]] On Behalf Of [email protected] [[email protected]] Sent: Thursday, March 01, 2012 5:48 PM To: [email protected] Subject: Re: [rhelv6-list] NFS and iptables -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/01/2012 10:39 AM, "Weiergräber, Oliver H." wrote: > Hello, > > I am currently working through setting up NFS with RHEL 6, trying > to arrange with iptables (and SElinux) which, admittedly, I used to > disable in the past. I am really glad to hear that you're using SELinux, this is great news. You probably want to take a peek at, e.g. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Booleans-Booleans_for_NFS_and_CIFS.html and http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Mounting_File_Systems-Mounting_an_NFS_File_System.html > Am I right thinking that when using NFS4, the one and only thing to > do is open port 2049 in iptables? Take a look at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Securing_NFS.html. > Redhat documentation is somwhat unclear with respect to port > requirements: In all examples they recommend to fix and open > several ports assigned by rpcbind, but nfs4 is said to not require > rpcbind at all! I don't know, there's a whole chapter on it at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-nfs.html Specifically http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s2-nfs-nfs-firewall-config.html talks about doing what you want. Hope this is helpful! - -- Thomas Cameron, RHCA, RHCSS, RHCDS, RHCVA, RHCX Chief Architect, Canada and Central US 512-241-0774 office / 512-585-5631 cell http://people.redhat.com/tcameron/ IRC: choirboy / AIM: rhelguy / Yahoo: rhce_guy /Google+ http://ongpl.us/tdc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9PqGcACgkQmzle50YHwaBvAwCfatk0QmjjRF/LItyznCuZkwpT 1yYAnRUqijFuMU0VdM158zitwWps6Y/c =U8qF -----END PGP SIGNATURE----- _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Kennen Sie schon unsere app? http://www.fz-juelich.de/app _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
