[Gllug] NFS and Firewalls

Nix nix at esperi.org.uk
Sun Feb 13 17:02:29 UTC 2005 

On Fri, 11 Feb 2005, Mick Farmer stipulated:
> I'm attempting to harden my computer's firewall using
> iptables.  I'm encountering a problem because I use NFS to
> access my home directory and I don't know what
> protocol/ports are used.

By default, they are UDP or TCP ports with numbers randomly assigned by
the portmapper. (NFS can work over UDP or TCP: which is in use depends
on your local configuration.)

>                           The scenario goes like this.
> 
> * Linux boots
> * Root login
> * Root mounts my home directory <== this os where I need advice

There is no login process involved before init(8) runs the scripts that
mount your home directory, nor in anything else involved in bringing the
system up. (Indeed, the kernel has no understanding of any `login'
concept; it's all a consistent illusion maintained by userspace.)

> * Root logs out

Neither is there a logout involved. init(8) has just switched
from running system initialization scripts to running gettys.
(See `man inittab' and the /etc/inittab file).


In general, you should be running NFS only behind a firewall, so the
only circumstance in which you should need to let NFS through a firewall
is if you're firewalling *every* machine from every other machine with a
deny-unknown policy (which I'd find too annoying, but might be
reasonable under some circumstances).

portmap runs on the `sunrpc' port (port 111, TCP and UDP). For NFS
proper, also look at the manpages for `rpc.nfsd', `rpc.mountd' and
`rpc.statd', specifically the `-p' options.


Needless to say, it is suicidally stupid to open NFS to the outside
world: *never* open port 111 in your external firewall! If you want to
do NFS across the open Internet, have a look at the Self-Certifiying
Filesystem, <http://fs.net/>.

(It is rather difficult to mount your home directory over SFS. As in,
you'd better be good at fixing PAM modules before you try, because the
SFS PAM authentication module is likely to need some hacking...)

-- 
Synapsids unite! You have nothing to lose but your eggshells!
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list