Locking down nfs - port settings ignored?

Issues related to configuring your network
theorist
Posts: 121
Joined: 2005/05/19 15:09:45

Locking down nfs - port settings ignored?

Postby theorist » 2008/07/15 11:47:25

I am trying to lock down NFS (v3) to specific ports so that I can firewall the server. I have just switched from CentOS4 to CentOS5.2 and am trying to reproduce what I did there - but without success. I have tried two approaches and neither seems to work - some of the port requests are ignored.

(1) Directly editing the configuration files: So /etc/sysconfig/nfs reads (cat /etc/sysconfig/nfs | grep -v "#")
RQUOTAD_PORT=4004
LOCKD_TCPPORT=4002
LOCKD_UDPPORT=4002
MOUNTD_PORT=4003
STATD_PORT=4001

and when that did not work, I added a line in /etc/modules.conf
options lockd nlm_udpport=4002 nlm_tcpport=4002

I have also added a line in /etc/services
rquotad 4004/tcp
rquotad 4004/udp

(2) The second approach was to use system-config-nfs and to reproduce the same settings above.

The end result of all of this is that restarting portmapper, nfs and nfslock gives an error on starting NFS:
Starting NFS quotas: rpc.rquotad: Cannot bind to given address: Address already in use

and the following rpcinfo -p

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100011 1 udp 4004 rquotad
100011 2 udp 4004 rquotad
100011 1 tcp 745 rquotad
100011 2 tcp 745 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 4002 nlockmgr
100021 3 udp 4002 nlockmgr
100021 4 udp 4002 nlockmgr
100021 1 tcp 4002 nlockmgr
100021 3 tcp 4002 nlockmgr
100021 4 tcp 4002 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4003 mountd
100005 1 tcp 4003 mountd
100005 2 udp 4003 mountd
100005 2 tcp 4003 mountd
100005 3 udp 4003 mountd
100005 3 tcp 4003 mountd
100024 1 udp 4001 status
100024 1 tcp 4001 status

So you see that rquotad has its tcp_port on 745 (or some other random port).

Any ideas what I could be missing?
Thanks
Andy

theorist
Posts: 121
Joined: 2005/05/19 15:09:45

Re: Locking down nfs - port settings ignored?

Postby theorist » 2008/07/15 12:03:16

OK - I think my problem may be related to this bug

https://bugzilla.redhat.com/show_bug.cgi?id=450208

So every time I was restarting nfs it was not shutting down rpc.rquotad which is why the chosen port was already in use (so it attempt to bind to another random one).

Msquared
Posts: 21
Joined: 2007/04/23 16:57:18
Contact:

Re: Locking down nfs - port settings ignored?

Postby Msquared » 2008/07/15 14:58:45

As a workaround, I've added a patch to that bug report:

* https://bugzilla.redhat.com/show_bug.cgi?id=450208#c2

Also, since you're probably locking the ports down for firewall reasons, you'll most likely also encounter this problem:

* https://bugzilla.redhat.com/show_bug.cgi?id=434795

I've also added a workaround to that bug report:

* https://bugzilla.redhat.com/show_bug.cgi?id=434795#c7

Enjoy!

theorist
Posts: 121
Joined: 2005/05/19 15:09:45

Re: Locking down nfs - port settings ignored?

Postby theorist » 2008/07/16 07:38:08

Thanks for the warning Msquared!
In fact I had also noticed the LOCKD problem as well which was why I put the options in /etc/modprobe.conf. I will add your patch just in case.

fernandoch
Posts: 17
Joined: 2008/01/22 09:24:07
Location: Spain

Re: Locking down nfs - port settings ignored?

Postby fernandoch » 2008/07/26 06:36:35

And after applying the patches, have you been able to mount an NFS filesystem through a firewall? If yes, can you please post your iptables and some details?

Thank you.