| Message
segment 9 of 10 - Get Previous
/ Next
Segment - Get
All 10 Segments
It's a very good idea
to firewall the nfs and portmap ports in your
router or firewall. The nfsd operates at port 2049, both
udp and tcp protocols. The portmapper at port
111, tcp and udp, and mountd at port 745 and and 747,
tcp and udp. Normally. You should check the
ports with the rpcinfo -p command.
If on
the other hand you want NFS to go through a firewall
there are options for newer NFSds and mountds to make
them use a specific (nonstandard) port which can be
open in the firewall.
6.5.
Summary
If you use the hosts.allow/deny,
root_squash, nosuid and privileged port features in the
portmapper/nfs software you avoid many of the
presently known bugs in nfs and can almost feel secure
about that at least. But still, after all that:
When an intruder has access to your network, s/he can
make strange commands appear in your /var/spool/mail
are mounted over NFS. For the same reason, you
should never access your PGP private key over
nfs. Or at least you should know the risk
involved. And now you know a bit of
it.
NFS and the portmapper makes up
a complex subsystem and therefore it's not totally
unlikely that new bugs will be discovered, either in the
basic design or the implementation we use. There
might even be holes known now, which someone is
abusing. But that's life. To keep abreast
of things like this you should at least read the newsgroups
comp.os. linux.announce and comp.security.announce at a
absolute minimum.
7. Mount
Checklist
This section is based on IBM
Corp. NFS mount problem checklist. My
thanks to them for making it available for this HOWTO.
If you experience a problem mounting a NFS
filesystem please refer to this list before posting
your problem. Each item describes a failure mode
and the fix.
1. File system not exported,
or not exported to the client in
question.
Fix: Export
it
2. Name resolution doesn't jibe with
the exports list.
e.g.:
export list says export to johnmad but johnmad's
name is resolved as
johnmad.austin.ibm.com. mount permission is denied.
Fix: Export to both forms
of the name.
It can also happen if
the client has 2 interfaces with different names
for each of the two adapters and the export only
specifies one.
Fix:
export both interfaces.
This
can also happen if the server can't do a lookuphostbyname or
lookuphostbyaddr (these are library functions)
on the client. Make sure the client can do
host <name>; host <ip_addr>; and that both
shows the same machine.
Fix:
straighten out name resolution.
3. The
file system was mounted after NFS was started (on that
server). In that case the server is exporting
underlying mount point, not the mounted
filesystem.
Fix: Shut down NFSd and
then restart it.
Note: The clients
that had the underlying mount point mounted will
get problems accessing it after the
restart.
4. The date is wildly off on one
or both machines (this can mess up
make)
Fix: Get the date set
right.
The HOWTO author recommends
using NTP to synchronize clocks. Since
there are export restrictions on NTP in the US you have
to get NTP for debian, redhat or slackware
from
ftp://ftp.hacktic.nl/pub/replay/pub/linux
or a mirror.
5. The server can not accept
a mount from a user that is in more than 8
groups.
Fix: decrease the number of
groups the user is in or mount via a different
user.
8. FAQs
This is the FAQ section. Most of it was written by Alan
Cox.
1. I get a lot of 'stale nfs
handle' errors when using Linux as a nfs
server.
This is caused by a bug in
some oldish nfsd versions. It is fixed in
nfs-server2.2beta16 and later.
2.
When I try to mount a file system I get
can't register with portmap: system error
on send
You are probably using a
Caldera system. There is a bug in the rc
scripts. Please contact Caldera to obtain a
fix.
3. Why can't I execute a file after
copying it to the NFS server?
|
