I am trying to lock down NFS (v3) to specific ports so that I can firewall the server. I have just switched from CentOS4 to CentOS5.2 and am trying to reproduce what I did there - but without success. I have tried two approaches and neither seems to work - some of the port requests are ignored.
(1) Directly editing the configuration files: So /etc/sysconfig/nfs reads (cat /etc/sysconfig/nfs | grep -v "#")
RQUOTAD_PORT=4004
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003
STATD_PORT=4001
and when that did not work, I added a line in /etc/modules.conf
options lockd nlm_udpport=4002 nlm_tcpport=4002
I have also added a line in /etc/services
rquotad 4004/tcp
rquotad 4004/udp
(2) The second approach was to use system-config-nfs and to reproduce the same settings above.
The end result of all of this is that restarting portmapper, nfs and nfslock gives an error on starting NFS:
Starting NFS quotas: rpc.rquotad: Cannot bind to given address: Address already in use
and the following rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 4004 rquotad
100011 2 udp 4004 rquotad
100011 1 tcp 745 rquotad
100011 2 tcp 745 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 4002 nlockmgr
100021 3 udp 4002 nlockmgr
100021 4 udp 4002 nlockmgr
100021 1 tcp 4002 nlockmgr
100021 3 tcp 4002 nlockmgr
100021 4 tcp 4002 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4003 mountd
100005 1 tcp 4003 mountd
100005 2 udp 4003 mountd
100005 2 tcp 4003 mountd
100005 3 udp 4003 mountd
100005 3 tcp 4003 mountd
100024 1 udp 4001 status
100024 1 tcp 4001 status
So you see that rquotad has its tcp_port on 745 (or some other random port).
Any ideas what I could be missing?
Thanks
Andy
Locking down nfs - port settings ignored?
Re: Locking down nfs - port settings ignored?
OK - I think my problem may be related to this bug
https://bugzilla.redhat.com/show_bug.cgi?id=450208
So every time I was restarting nfs it was not shutting down rpc.rquotad which is why the chosen port was already in use (so it attempt to bind to another random one).
https://bugzilla.redhat.com/show_bug.cgi?id=450208
So every time I was restarting nfs it was not shutting down rpc.rquotad which is why the chosen port was already in use (so it attempt to bind to another random one).
Re: Locking down nfs - port settings ignored?
As a workaround, I've added a patch to that bug report:
* https://bugzilla.redhat.com/show_bug.cgi?id=450208#c2
Also, since you're probably locking the ports down for firewall reasons, you'll most likely also encounter this problem:
* https://bugzilla.redhat.com/show_bug.cgi?id=434795
I've also added a workaround to that bug report:
* https://bugzilla.redhat.com/show_bug.cgi?id=434795#c7
Enjoy!
* https://bugzilla.redhat.com/show_bug.cgi?id=450208#c2
Also, since you're probably locking the ports down for firewall reasons, you'll most likely also encounter this problem:
* https://bugzilla.redhat.com/show_bug.cgi?id=434795
I've also added a workaround to that bug report:
* https://bugzilla.redhat.com/show_bug.cgi?id=434795#c7
Enjoy!
Re: Locking down nfs - port settings ignored?
Thanks for the warning Msquared!
In fact I had also noticed the LOCKD problem as well which was why I put the options in /etc/modprobe.conf. I will add your patch just in case.
In fact I had also noticed the LOCKD problem as well which was why I put the options in /etc/modprobe.conf. I will add your patch just in case.
-
- Posts: 17
- Joined: 2008/01/22 09:24:07
- Location: Spain
Re: Locking down nfs - port settings ignored?
And after applying the patches, have you been able to mount an NFS filesystem through a firewall? If yes, can you please post your iptables and some details?
Thank you.
Thank you.