IPFILTER and NFS

[Matt Juszczak]

Problem is that I need to firewall the client.

I dont have access to the nfs server... only the client.  Your 
configuration info showed me making changes on the server.  is there a 
way to make the client work ok?

-Matt

Erik Nørgaard wrote:

> Matt Juszczak wrote:
>
>> Howdy,
>>
>> Trying to get IPFILTER and NFS working.  A google search didn't show 
>> much about my specific issue.  With ipfilter working, nfs initially 
>> works, until someone tries to login.  Then it stops working.  With my 
>> firewall down on the NFS-CLIENT machine, it works fine.  Any ideas?
>>
>> It appears to be an issue with random ports....
>
>
> It is, NFS is an RPC service where the RPC deamon is requested to for 
> info on which port mountd binds to. I wrote an howto for diskless 
> clients, www.daemonsecurity.com/pxe/ - here's what to do:
>
> Enable nfs in /etc/rc.conf:
>
>    rpcbind_enable="YES"          # Run the portmapper service (YES/NO).
>    nfs_server_enable="YES"       # This host is an NFS server (or NO).
>    mountd_enable="YES"           # Run mountd (or NO).
>    mountd_flags="-r -p 59"       # Force mountd to bind on port 59
>
> As a minimum you need to enable rpcbind, nfsserver and mountd. lockd 
> and statd provides file locking and status monitoring. By default, 
> when mountd starts it binds to some arbitrary port, and rpc is used to 
> discover which, making it imposible to firewall. With option '-p' 
> mountd can be forced to bind to a specific port. Port 59 is assigned 
> to "any private file service" (see /etc/services).
>
> This limits the number of ports relevant to 59, 111 and 2049. You 
> can't force lockd and statd to bind to specific ports (they are alos 
> RPC services) and AFAIK you can't have disk quotas work correctly 
> because of this.
>
> AFAIK NFS4 should address these problems, but the NFS4 server is still 
> experimental.
>
> Till then, RPC is a security nightmare.
>
> Erik