[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NFS and IP filters



Alex Shnitman wrote:

> I'm setting up IP filters on a firewall, and I need to add rules that
> allow NFS mounting to pass through (don't worry, not from outside,
> between two parts of the network here). What ports do I need to open?

You usually can't tell.

> I inherited the firewall setup from the previous admin with the
> following ports open: sunrpc, nfsd, 769 & 778. Now if I disable the
> filters, mount, and then enable them again -- it continues to be
> mounted and it works. However I can't do the mount without disabling
> the filters for a moment. What ports am I missing? And does anyone
> know what are ports 769 and 778?

You're missing the mountd port.  Mountd (like most RPC daemons) does
not pick a specific port to listen on, but gets one assigned to it
on each run by the system.  It then registers that port with the
portmapper (which always listen on the `sunrpc' port).  When a client
wishes to mount a filesystem, it consults the server's portmapper to
obtain the port of its mountd, and only then calls mountd.

Stateful firewalls (case in point: FW-1) typically solve this by
parsing the portmapper traffic that goes through them and allowing
traffic to ports returned in portmappers requests.  (Note the 
tunneling opportunity here if the portmapper isn't trustworthy.)

Some people rely on their systems being deterministic.  That is,
since mountd runs from the boot scripts, and the boot sequence is
well known, then all things being equal it will always get the same
port number assigned to it.  That happens surprisingly often (e.g. the
`secret' rpcbind port security problem), but can't be counted on.
(And obviously it can't be counted on with systems that randomize
port numbers like OpenBSD does.)

I suspect that the entries you inherited for 769 are 778 are attempts
to rely on mountd having these port numbers.  That's obviously broken.

The real solution is system dependent.  Some versions of mountd allow
you to set their port from the command line.  Some will notice an
entry for `mountd' in  services(4) and use that.  Some will do both.
And conversely, some clients allow you to specify a mount(1) option
with the server's mountd port.  Unfortunately, this isn't a
standardized area, so this really depends on how modern a system you're
using.  If you can wire down the mountd port in this manner, you can
safely filter it.  Otherwise, you need stateful filtering.

If neither is available, you'll have to resort to non robust
solutions, such as counting on the port number being the same across
reboots, or opening up a port range.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il