|
|
Configuring NFS under Linux for Firewall controlBy: Chris Lowth <chris@lowth.com>
PlatformsThis document has been written with reference to RedHat 7.x and 8.x systems but is appropriate for other Linux distributions. The author warmly invites comments, corrections and (in particular) news of using this approach on other Linuxes. Follow-up contributions.I have received numerous mails since writing this article, some of which include more information which may be of general use. Thanks to the authors for permission to reproduce their comments here.. Introduction.When setting up IPTABLES firewalling for Linux systems running the NFS service (network file system), you hit the problem that some of the TCP/IP and UDP ports used by components of the service are randomly generated as part of the “SunRPC” mechanism. This document is part of the LinWiz tool kit, and describes how to set up NFS in such a way that meaningful firewall rules can be applied to the system. The LinWiz toolkit.LinWiz is a free-to-use on-line Linux IPTables configuration wizard, designed for novices and experts alike. LinWiz presents a simple, single-page questionaire for you to fill in, and then generates a personalised iptable configuration file for download onto the Linux server, firewall or router/gateway. Click here to use this software on line. Viewing the used ports.On a system that is up and running with the NFS service active, the ports used by the components of the service can be listed using the command “rpcinfo -p”. The output will look something like this... program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32814 status
100024 1 tcp 33024 status
100011 1 udp 670 rquotad
100011 2 udp 670 rquotad
100011 1 tcp 673 rquotad
100011 2 tcp 673 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 32816 nlockmgr
100021 3 udp 32816 nlockmgr
100021 4 udp 32816 nlockmgr
100005 1 udp 32818 mountd
100005 1 tcp 33025 mountd
100005 2 udp 32818 mountd
100005 2 tcp 33025 mountd
100005 3 udp 32818 mountd
100005 3 tcp 33025 mountdThis listing shows the IP ports for the various versions of the service used in the 4th column. If you view this listing on different systems (or even after rebooting the same one) you may well find that the port numbers are different – this is a real problem when configing firewalls, which tend to assume that known port numbers are used for the services being configured. Setting up NFS to use fixed IP ports.To make it possible to configure a firewall that controls NFS, it is useful to be able to “tie” down the ports used by these services to fixed values. Luckily this is possible in RedHat Linux versions 7 and 8 (and, I suspect; other linux distributions), although the methods for setting these port numbers are different for each of the daemons. The following table lists the NFS daemons and summarises the relevant information for them. The sections that follow give more detail.
Portmapper [Standard port: 111]The portmapper is implemented by the “portmap” program which is part of the “portmap” RPM package. The service uses port 111 on both the TCP and UDP protocols. Portmapper provides the mapping between application names and IP ports, and is therefore analogous to the /etc/service file except that it relates to RPC programs only. Firewall rules that refer to portmapper should refer to TCP/IP and UDP packets on port 111. Status [Random port. Suggestion: 4000]The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnamed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots. The rpc.statd program is part of the “nfs-utils” RPM package. While rpc.statd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done as follows .. Edit the file /etc/init.d/nfslock and change the “start()” procedure to add “-p” and a port number to the line “daemon rpc.statd”. The changed procedure looks like this (this change is coloured in red).. start() {
# Start daemons.
if [ "$USERLAND_LOCKD" ]; then
echo -n $"Starting NFS locking: "
daemon rpc.lockd
echo
fi
echo -n $"Starting NFS statd: "
daemon rpc.statd -p 4000
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/nfslock
return $RETVAL
}Once the above change has been made, firewall rules should refer to TCP/IP and UDP packets on the chosen port. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux). NFS Daemon [Standard port: 2049]The rpc.nfsd program implements the user level part of the NFS service. The main functionality is handled by the nfsd.o kernel module; the user space program merely starts the specified number of kernel threads. The rpc.nfsd program normally listens on port number 2049, so firewall rules can be created to refer to that port (unless it is changed from the default value). (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux). NFS Lock Manager [Random port. Suggestion: 4001]The NFS lock manager is a kernel module. It implements the NLM (NFS Lock Manager) part of the NFS subsystem, used for handling file and resource locks of various types. This component is sometimes referred to "rpc.lockd", and shows up in the output of rpcinfo as "nlockmgr"(hey - consistancy would only make life booring!). On systems where the lock manager is implemented as a loadable module the port number used is set at module load time, and so is configured by adding (or editting) a line in the /etc/modules.conf file, as follows.. options lockd nlm_udpport=4001 nlm_tcpport=4001 This sets the udp and tcp/ip port numbers. Conventionally, these two numbers should be set to the same value. If your system has the lockd code compiled into the main kernel binary rather than as a loadable module, then the settings in modules.conf wont work. You need to add the parameters "lockd.udpport=4001 lockd.tcpport=4001" to the kernel command line in the lilo or grub configuration instead. Note on the linux kernel versions before 2.4.12: - the handling of these parameters was introduced into linux kernel version 2.4.11. But since 2.4.11 is flagged as a "dont use" release, you should verify that your system has kernel 2.4.12 or later installed in order for this to work. Use the command "uname -a" to see the kernel version you are running.
To fix the port used by the NFS Lock Manager, add a line (as above) to /etc/modules.conf or lilo.conf (or grub.conf) as appropriate, and configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux). mountd [Random port. Suggestion: 4002]
While rpc.mountd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editting or creating the file /etc/sysconfig/nfs and adding the following line.. MOUNTD_PORT=4002 Once this edit has been made, configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux). rquotad [Random port. Suggestion: 4003]
To use this package to update the existing one..
Once the updated "quota" package is installed, you can "fix" the port used by rpc.rquotad as follows..
Once thes changes have been made, configure the firewall to manage the port numbers selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux). |