NFS ports for firewall?

Charles Curley charlescurley at charlescurley.com
Thu Apr 28 18:12:07 MDT 2005


On Thu, Apr 28, 2005 at 04:47:11PM -0600, Lonnie Olson wrote:
> On Apr 28, 2005, at 4:30 PM, Charles Curley wrote:
> >I recently added a wireless AP to my network. This means I now want
> >firewalls on all my boxen. Which ports do I have to have open so I can
> >export NFS?
> >
> >I found:
> >
> >sunrpc		111/tcp		portmapper	# RPC 4.0 portmapper 
> >TCP
> >sunrpc		111/udp		portmapper	# RPC 4.0 portmapper 
> >UDP
> >nfs		2049/tcp	nfsd
> >nfs		2049/udp	nfsd
> >
> >What else?
> 
> Those should be fine for normal use, but you can also look at other 
> open ports via `rpcinfo -p`.

Thanks, that helped.

> 
> Also be aware of security.  NFS has only host/IP based security.  
> Meaning anyone driving by that can hop on your WAP, choose an IP 
> address and mount your exports.  and may do nasty things.

Very much aware of the issues here. I'm going to re-write the export
file to allow only specific IP addresses, and they are all already RO
anyway.

Using iptables-[save|restore] and some braindead scripting, I now have
two firewalls, one for when I want to allow NFS, and one for when I
don't. :-)

And I don't put anything critical on them. As far as I'm concerned, if
some bozon wants to do a drive-by crack and slurp in 3 GB of Fedora
Core ISOs, he/she/it is welcome to it.


> 
> --lonnie



> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> |  IRC: #utah at irc.freenode.net   |
> `==================================='

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20050428/44f08cc2/attachment.bin 


More information about the PLUG mailing list