From: Allen Kistler <ackistler@oohay.moc>
Newsgroups: comp.os.linux.security
Subject: Re: Firewall & NFS
Date: Sun, 04 Dec 2005 17:32:05 GMT
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.7.12-1.3.1

Some NFS-associated ports are dynamic, so the ports you specified probably aren't valid. Typically outbound traffic on a connection allows the inbound traffic to return through netfilter. Netfilter makes up a state at startup, allowing your "established" connections to continue. (At least I suspect that's what's happening.)

portmap port is always 111

nfsd port is always 2049

lockd port can be defined in /etc/modprobe.conf

mountd and statd ports can be defined as startup options (how you define them varies with distro; RH and FC use /etc/sysconfig/nfs)

rquotad port can't be defined (last I checked, but you don't need it unless you're using quotas)

See man pages and assorted, existing howtos for more info.




From: EricT <ericteuber@web.de>
Newsgroups: comp.os.linux.security
Subject: Re: Firewall & NFS
Date: Mon, 05 Dec 2005 22:37:24 +0100
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)

1) you can choose which protocol is used with nfs, so you don't need to open both protocols for that particular traffic.

2) Allen is absolutely right, the ports can be dynamic, like passive ftp.

3) you should use interface settings instead of ip addresses or use both.

4) open the server port and allow established (related) traffic from one to the other.

As far as i know, these rules should do it.

server 1
iptables -A INPUT -i <int-iface1> -s <nfs-ip2> -d <nfs-ip1> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface1> -d <nfs-ip2> -s <nfs-ip1> -p <protocol> -m state --state RELATED,ESTABLISHED

server 2
iptables -A INPUT -i <int-iface2> -s <nfs-ip1> -d <nfs-ip2> -p <protocol> --dport 111 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -o <int-iface2> -d <nfs-ip1> -s <nfs-ip2> -p <protocol> -m state --state RELATED,ESTABLISHED

greetz,
Eric