Blog

Firewalling NFS while keeping your sanity

By Iain Morris posted on February 23rd, 2010

If you’ve ever tried to set up NFS behind a firewall, you know that it’s not trivial. NFS relies on several helper applications to do its thing. NFS relies heavily on portmap, which handles incoming NFS connections and coordinates ports for daemons like mountd, statd, and lockd. Each of these daemons listens on its own port (several ports in some cases), and they can be arbitrary in choosing those ports. This makes it next to impossible to firewall a default nfs configuration. We’ll learn how to lock ‘em down in this session, so you can firewall them easily.

The primary config for NFS can be found in /etc/sysconfig/nfs on RedHat systems, if you have the service installed. In this wordy config file, you’ll find a few key entries:

#MOUNTD_PORT=""
#RQUOTAD_PORT=""
#LOCKD_TCPPORT=""
#LOCKD_UDPPORT="
#STATD_PORT=""
#STATD_OUTGOING_PORT=""

You can set these values to static entries (I’ve used some arbitrary high-numbered ports here):

MOUNTD_PORT="5551"
STATD_PORT="5552"
LOCKD_TCPPORT="5553"
LOCKD_UDPPORT="5554"
RQUOTAD_PORT="5555"
STATD_OUTGOING_PORT="5556"

… and then just match up these values in your firewall config. Here I’m using Netfilter:

/sbin/iptables -A my_input_chain -m state --state ESTABLISHED,RELATED -j ACCEPT

# nfs homedir automounts
/sbin/iptables -A my_input_chain -m state --state NEW -m tcp -p tcp -s 192.168.10.0/24 --dport 111 -j ACCEPT
/sbin/iptables -A my_input_chain -m state --state NEW -m udp -p udp -s 192.168.10.0/24 --dport 111 -j ACCEPT
/sbin/iptables -A my_input_chain -m state --state NEW -m tcp -p tcp -s 192.168.10.0/24 --dport 2049 -j ACCEPT
/sbin/iptables -A my_input_chain -m state --state NEW -m udp -p udp -s 192.168.10.0/24 --dport 2049 -j ACCEPT
/sbin/iptables -A my_input_chain -m state --state NEW -m tcp -p tcp -s 192.168.10.0/24 --dport 5551:5556 -j ACCEPT
/sbin/iptables -A my_input_chain -m state --state NEW -m udp -p udp -s 192.168.10.0/24 --dport 5551:5556 -j ACCEPT

I’ve added a source address match for a specific network as an example. It’s important to lock down access to NFS as much as you possibly can, as it is well-known for its lack of security. Newer versions such as NFS4 have accounted for this with kerberos authentication, etc. But when given the opportunity to take the secure road, take it!

Now set up your /etc/exports as you wish, fire up your nfs service, and you’re good to go!

0 Comments

Posted in Linux, Security, System Administration, Tips and Tricks

Leave a Reply