Linux Links‎ > ‎

NFS


Installing NFS in Dedian

Making your computer an NFS server or client is very easy.A Debian NFS client needs

# apt-get install nfs-common portmap

while a Debian NFS server needs 

# apt-get install nfs-kernel-server nfs-common portmap

Edit /etc/exports file
   
add stores to share such as

/store/dyn/movies 192.168.69.102(ro)
/store/files/movie-archive 192.168.69.102(ro)
/store/dyn/torrents 192.168.169.10(rw,sync)
   
apply the changes with:
# exportfs -a
   
Edit /etc/fstab to include automounting such as:
192.168.9.12:/store/dyn/torrents /torrents nfs rw,rsize=32768,wsize=32768,soft,intr,nfsvers=3,tcp,noatime,nodev,async 0 0

Firewall Friendly Settings

When you set up a tight firewally, you go with the "deny all, allow some" paradigm. The SunRPC system was designed around the "trust the remote system" and the"make it simple for the admin, use dynamic ports" paradigm. Fortunatly, the services you use with NFS have port options to work better with your firewall.

The following examples are modifications to a Debian 3.1 (Sarge) system with a 2.6 Linux kernel. In most cases they do not indicate the full contents of the files, just the parts that were modified.

It's easy to configure the port options for the statd, mountd and quotad RPC services, thanks to the use of /etc/default/* by the init-scripts

 # /etc/default/nfs-common
 STATDOPTS="--port 32765 --outgoing-port 32766"
 # /etc/default/nfs-kernel-server
 RPCMOUNTDOPTS="-p 32767"
 # /etc/default/quota
 RPCRQUOTADOPTS="-p 32769"

The nfs daemon (rpc.nfsd or just nfsd) will listen on port 2049 by default if no port is specified.

The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.

 # /etc/services
 # NFS ports as per the NFS-HOWTO
 # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
 # Listing here does not mean they will bind to these ports. 
 rpc.nfsd        2049/tcp                        # RPC nfsd
 rpc.nfsd        2049/udp                        # RPC nfsd
 rpc.statd-bc    32765/tcp                       # RPC statd broadcast
 rpc.statd-bc    32765/udp                       # RPC statd broadcast
 rpc.statd       32766/tcp                       # RPC statd listen
 rpc.statd       32766/udp                       # RPC statd listen
 rpc.mountd      32767/tcp                       # RPC mountd
 rpc.mountd      32767/udp                       # RPC mountd
 rcp.lockd       32768/tcp                       # RPC lockd/nlockmgr
 rcp.lockd       32768/udp                       # RPC lockd/nlockmgr
 rpc.quotad      32769/tcp                       # RPC quotad
 rpc.quotad      32769/udp                       # RPC quotad

I created /etc/modprobe.d/local.conf to provide the lockd module with options.

 # /etc/modprobe.d/local.conf
 options lockd nlm_udpport=32768 nlm_tcpport=32768

Firewall Rules

Creating rules for your firewall for the above services should now be as simple as creating rules for more common services that bind to known ports, like http.

Shorewall

An example of allowing a firewall server make nfs mounts to an internal server. This rule set for the shorewall firewall allows traffic for portmap (111), nfs (2049). The mount program in Etch appears to prefer tcp connections to nfs and mountd, so we add tcp rules for all ports and ranges.

 # Allow nfs mounts to local network
 ACCEPT          fw      loc             udp     111
 ACCEPT          fw      loc             tcp     111
 ACCEPT          fw      loc             tcp     2049
 ACCEPT          fw      loc             udp     2049
 ACCEPT          fw      loc             tcp     32765:32769
 ACCEPT          fw      loc             udp     32765:32769

See The List Of All Shared Directories

Type the following command:
$ showmount -e server-Ip-address
$ showmount -e 192.168.1.1



 
Other stuff:
nfs
Comments