NFS tromps all over the place. Let's limit it to a more defined set of ports so we can secure it.
This information is based on http://www.lowth.com/LinWiz/nfs_help.html, but it has be altered to use the short cuts provided by Fedora Core distribution rather than editing startup scripts. Also see http://www.faqs.org/docs/Linux-HOWTO/NFS-HOWTO.html.
Change the ports that statd and mountd will listen on.
cat <<EOF >> /etc/sysconfig/nfs STATD_PORT=4000 MOUNTD_PORT=4002 EOF
Change the options for lockd kernel module.
cat <<EOF >> /etc/modprobe.conf options lockd nlm_udpport=4001 nlm_tcpport=4001 EOF
Get rquotad running on a predictable port. Add this to the bottom of the file.
cat <<EOF >> /etc/services rquotad 4003/tcp # run on predictable port for NFS iptables rquotad 4003/udp # run on predictable port for NFS iptables EOF
pxc-splr-ft 4003/tcp # pxc-splr-ft pxc-splr-ft 4003/udp # pxc-splr-ft
echo "sunrpc: ALL" >> /etc/hosts.deny echo "sunrpc: 10.1.1.0/24" >> /etc/hosts.allow
Now rpcinfo -p looks like this:
# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 4000 status
100024 1 tcp 4000 status
100011 1 udp 4003 rquotad
100011 2 udp 4003 rquotad
100011 1 tcp 4003 rquotad
100011 2 tcp 4003 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100021 1 tcp 4001 nlockmgr
100021 3 tcp 4001 nlockmgr
100021 4 tcp 4001 nlockmgr
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd
So you need to open the following ports.
I have a share for backups and a share for my media.
cat <<EOF >> /etc/exports /backup 10.1.1.0/24(rw,root_squash,sync) /media 10.1.1.0/24(rw,no_root_squash,no_subtree_check,sync)
