Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 4 - ADMINISTRATION
81828384858687888990
Chapter 10. Network File System (NFS)
72
To configure a firewall to allow NFS, perform the following steps:
1. Allow TCP and UDP port 2049 for NFS.
2. Allow TCP and UDP port 111 (rpcbind/sunrpc).
3. Allow the TCP and UDP port specified with MOUNTD_PORT="port"
4. Allow the TCP and UDP port specified with STATD_PORT="port"
5. Allow the TCP port specified with LOCKD_TCPPORT="port"
6. Allow the UDP port specified with LOCKD_UDPPORT="port"
10.6.4. Hostname Formats
The host(s) can be in the following forms:
Single machine
A fully-qualified domain name (that can be resolved by the server), hostname (that can be
resolved by the server), or an IP address.
Series of machines specified via wildcards
Use the * or ? character to specify a string match. Wildcards are not to be used with IP
addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying
wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example,
*.example.com includes one.example.com but does not include one.two.example.com.
IP networks
Use a.b.c.d/z, where a.b.c.d is the network and z is the number of bits in the netmask (for
example 192.168.0.0/24). Another acceptable format is a.b.c.d/netmask, where a.b.c.d is
the network and netmask is the netmask (for example, 192.168.100.8/255.255.255.0).
Netgroups
Use the format @group-name, where group-name is the NIS netgroup name.
10.7. Securing NFS
NFS is well-suited for sharing entire file systems with a large number of known hosts in a transparent
manner. However, with ease-of-use comes a variety of potential security problems. Consider the
following sections when exporting NFS file systems on a server or mounting them on a client. Doing so
minimizes NFS security risks and better protects data on the server. server.
10.7.1. Host Access in NFSv2 or NFSv3
NFS controls who can mount an exported file system based on the host making the mount request,
not the user that actually uses the file system. Hosts must be given explicit rights to mount the
exported file system. Access control is not possible for users, other than through file and directory
permissions. In other words, once a file system is exported via NFS, any user on any remote host
connected to the NFS server can access the shared data. To limit the potential risks, administrators
often allow read-only access or squash user permissions to a common user and group ID.
Unfortunately, these solutions prevent the NFS share from being used in the way it was originally
intended.
Additionally, if an attacker gains control of the DNS server used by the system exporting the NFS
file system, the system associated with a particular hostname or fully qualified domain name can be