| View previous topic :: View next topic |
| Author |
Message |
davidshen84
Guru
Joined: 09 Aug 2008
Posts: 321
|
 Posted: Tue Jun 09, 2009 9:18 am Post subject: how to config nfs to go through iptable firewall? |
 |
|
Hi,
mount.nfs would use port 111, 2049 and a dynamically assigned port to communicate with nfsd. so, i cannot config my iptable rules to allow the dynamic port.
i have search the web, and find some information for other linux distro. but none of them would apply to gentoo. i hope some one could help me here.
_________________
David Shen |
|
| Back to top |
|
 |
fangorn
Veteran
Joined: 31 Jul 2004
Posts: 1886
|
| Posted: Tue Jun 09, 2009 11:51 am Post subject: |
|
|
nfs over a firewall is possible but a major p.i.t.a.
In most cases it is better to just use Samba or sshfs, fish or something else.
Edit: This is true for NFS v3. Also NFS v3 is totally unencrypted.
NFS v4 should provide encryption and configurable ports for exactly this situation. But I never tried it.
_________________
Video Encoding scripts collection | Project page |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Tue Jun 09, 2009 12:49 pm Post subject: |
|
|
Are you trying to get NFS to yourself through the firewall, or server it to others?
If it's just for your own use, I'd suggest using OpenVPN and let it go through the tunnel, and let the tunnel through the firewall. Much simpler.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
davidshen84
Guru
Joined: 09 Aug 2008
Posts: 321
|
| Posted: Tue Jun 09, 2009 1:01 pm Post subject: |
|
|
| depontius wrote: | Are you trying to get NFS to yourself through the firewall, or server it to others?
If it's just for your own use, I'd suggest using OpenVPN and let it go through the tunnel, and let the tunnel through the firewall. Much simpler. |
actually, the nfs server is in my LAN, and I use it only from within the LAN. it is ok to turn off the firewall at all. but i just want to know if it is possible to config the nfs to work with iptable.
_________________
David Shen |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3526
|
| Posted: Tue Jun 09, 2009 3:47 pm Post subject: |
|
|
| davidshen84 wrote: | | actually, the nfs server is in my LAN, and I use it only from within the LAN. it is ok to turn off the firewall at all. but i just want to know if it is possible to config the nfs to work with iptable. |
In that case, I'd keep the firewall tight and keep the NFS inside. Though I get the impression that nfsv4 can be set up securely, in general nfs is well-known for its lack of security. In a general sense, I suspect you're asking if iptables has a portmapper helper module. A quick perusal, and I don't think they do - at least it doesn't appear to be stock, though maybe someone has written one as an add-on. In general, portmapper is mentally tied to nfs, and friends don't help friends get nfs (or portmapper) through a firewall.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
davidshen84
Guru
Joined: 09 Aug 2008
Posts: 321
|
| Posted: Wed Jun 10, 2009 1:43 am Post subject: |
|
|
| depontius wrote: | | davidshen84 wrote: | | actually, the nfs server is in my LAN, and I use it only from within the LAN. it is ok to turn off the firewall at all. but i just want to know if it is possible to config the nfs to work with iptable. |
In that case, I'd keep the firewall tight and keep the NFS inside. Though I get the impression that nfsv4 can be set up securely, in general nfs is well-known for its lack of security. In a general sense, I suspect you're asking if iptables has a portmapper helper module. A quick perusal, and I don't think they do - at least it doesn't appear to be stock, though maybe someone has written one as an add-on. In general, portmapper is mentally tied to nfs, and friends don't help friends get nfs (or portmapper) through a firewall. |
thanks, i got it 
_________________
David Shen |
|
| Back to top |
|
|
|
Networking & Security
