Tag Archives: iptables

Fedora 18 NFS and iptables changes

In previous versions of Fedora, if you wanted add some firewall protection to NFS, you could configure static ports for the various daemons in the file /etc/sysconfig/nfs as follows:

RQUOTAD_PORT=49152
STATD_PORT=49153
MOUNTD_PORT=49154
LOCKD_TCPPORT=49155
LOCKD_UDPPORT=49155
STATD_OUTGOING_PORT=49156

Those arguments don’t appear to have the expected effects on Fedora 18. These are the ports in use if those settings are used:

# systemctl restart nfs-lock.service
# systemctl restart nfs-server.service
# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  47768  status
    100024    1   tcp  36896  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  49155  nlockmgr
    100021    3   udp  49155  nlockmgr
    100021    4   udp  49155  nlockmgr
    100021    1   tcp  49155  nlockmgr
    100021    3   tcp  49155  nlockmgr
    100021    4   tcp  49155  nlockmgr
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd

Note that mountd and status have random ports, not the ones we specified.
The new system is to use arguments to the various daemons instead:

#
# Optinal options passed to rquotad
RPCRQUOTADOPTS="--port 49152"
#
# Optional arguments passed to in-kernel lockd
LOCKDARG=""
# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=49155
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=49155
#
# Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
RPCNFSDARGS=""
# Number of nfs server processes to be started.
# The default is 8. 
RPCNFSDCOUNT=8
# Set V4 grace period in seconds
#NFSD_V4_GRACE=90
#
# Optional arguments passed to rpc.mountd. See rpc.mountd(8)
RPCMOUNTDOPTS="--port 49154"
#
# Optional arguments passed to rpc.statd. See rpc.statd(8)
STATDARG="--outgoing-port 49153 --port 49156"
#
# Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
RPCIDMAPDARGS=""
#
# Optional arguments passed to rpc.gssd. See rpc.gssd(8)
RPCGSSDARGS=""
#
# Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
RPCSVCGSSDARGS=""
#
# To enable RDMA support on the server by setting this to
# the port the server should listen on
#RDMA_PORT=20049 
#
# Optional arguments passed to blkmapd. See blkmapd(8)
BLKMAPDARGS=""

and now the list of ports:

# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  49156  status
    100024    1   tcp  49156  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100021    1   udp  49155  nlockmgr
    100021    3   udp  49155  nlockmgr
    100021    4   udp  49155  nlockmgr
    100021    1   tcp  49155  nlockmgr
    100021    3   tcp  49155  nlockmgr
    100021    4   tcp  49155  nlockmgr
    100005    1   udp  49154  mountd
    100005    1   tcp  49154  mountd
    100005    2   udp  49154  mountd
    100005    2   tcp  49154  mountd
    100005    3   udp  49154  mountd
    100005    3   tcp  49154  mountd
    100011    1   udp  49152  rquotad
    100011    2   udp  49152  rquotad
    100011    1   tcp  49152  rquotad
    100011    2   tcp  49152  rquotad

I saw this in a Bugzilla report