Firewalls & NFS mounting 1-2-3
 

Hello everyone-

I'm a Fedora user who has recently installed F14. For a long time now, I've struggled quite a bit with firewalls and NFS. As frequently with things of the internet, there's plenty of information out there on how to get the firewall to work with NFS, but none of it seems to read as simply as the very basic recipe I'll call out below.

To start with, there's lots of really great web pages devoted to getting NFS file sharing on your system of computers. I point the reader to ...

http://www.faqs.org/docs/Linux-HOWTO...html#FIREWALLS

... because it also has the explanation of firewalls that worked best for me.

In summary, the issue is the floating TCP/UDP ports handled by the portmapper. There's the well-identified fixed ports at 111 and 2049, but then there's a slew of floating ports that support such essential NFS daemons such as statd, mountd, lockd, and rquotad.

In particular, there is a combination of one tool and one file involved in preparing the firewall for protecting an NFS server.

Tool: system-config-firewall, for declaring cleared TCP/UDP ports

File: /etc/sysconfig/nfs, for mapping the ports used for statd, mountd, lockd, and rquotad. I found this file to be available in my release of Fedora 14.

Step 1.

Follow a suitable set of directions to set up an NFS server. This may involve the use of a tool such as system-config-nfs, and probably involves setting up /etc/exports and the command exportfs. There's a lot of guidance on the web for setting this up. I've cited just one of the many applicable URL's above. Google on "Linux NFS tutorial" and take your pick.

Step 2. In super-user mode, edit the file /etc/sysconfig/nfs. In my distro, the entire file is commented out on installation. Uncomment the lines that have in them any item from the following list:
"LOCKD_TCPPORT"
"LOCKED_UDPPORT"
"MOUNTD_PORT"
"STATD_PORT"
"STATD_OUTGOING_PORT"
Along with these will be a set of port numbers. When you uncomment these lines, you pin the ports that would otherwise "float" or dynamically assign at run-time. This is crucial, because now it's possible to declare such ports open. Otherwise, nfs won't work unless one basically disables the firewall because there can be too many port possibilities to efficiently declare. BTW, one doesn't have to stick with the ports indicated in /etc/sysconfig/nfs. As you'll see in Step 3, the open ports are nominally assigned to certain common services. If you don't plan on employing such services, re-using for nfs is okay, and even if you do use them for nfs you can assign different ports for the other services. But, maybe you'ld prefer to assign one of the many other unused ports that has no other common use. There's such a block up at 40000-40841. Just change the port numbers on the relevant lines in /etc/sysconfig/nfs. Leaving this edit window open, proceed to step 3...

Step 3. Open up the firewall configuration tool by invoking system-config-firewall, or step to it in KDE by stepping through Administration->Firewall. Click on the "Other ports" menu selection on the left. You'll have to give the root password a couple of times before you're done with the firewall, so expect that. Look into the /etc/sysconfig/nfs file you've got open, and add the ports you've indicated to be associated with the various ports on the lines uncommented. As well, don't forget to add UDP/TCP ports 111 for portmapper and UDP/TCP ports 2049 for nfs. These last two port sets don't show up in /etc/sysconfig/nfs because they are well known and fixed. But, you still have to declare them, otherwise things won't work.

...and, that's it! Restart the affected processes and you'll be able to remote nfs mount around the firewall. It all takes about five minutes to do if you work carefully, but this took me years to finally get right, because I wasn't getting all the TCP/UDP ports declared. But, now, hopefully anyone else who reads this will be spared the frustration of knowing it can work but not being quite sure how to make it work.