5868
Comment:
|
6439
http -> https on hyperlinks
|
Deletions are marked like this. | Additions are marked like this. |
Line 2: | Line 2: |
Notes on applying the suggestions from the [[http://www.tldp.org/HOWTO/NFS-HOWTO/security.html|Security section]] of the [[http://www.tldp.org/HOWTO/NFS-HOWTO/|NFS-HOWTO]] to Debian 4.0 (Etch). These settings should still work with Debian 3.1 (Sarge). | Notes on applying the suggestions from the [[https://www.tldp.org/HOWTO/NFS-HOWTO/security.html|Security section]] of the [[https://www.tldp.org/HOWTO/NFS-HOWTO/|NFS-HOWTO]] to Debian 4.0 (Etch). These settings should still work with Debian 3.1 (Sarge). |
Line 4: | Line 4: |
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html | https://www.tldp.org/HOWTO/NFS-HOWTO/security.html |
Line 50: | Line 50: |
I created {{{/etc/modprobe.d/local.conf}}} to provide the lockd module with options. | '''Kernel parameters:''' I created {{{/etc/modprobe.d/local.conf}}} to provide the lockd module with options. |
Line 56: | Line 56: |
'''Alternative to kernel parameters:''' These settings can be put into {{{/etc/sysctl.conf}}} or {{{/etc/sysctl.d/nfs-static-ports.conf}}}: {{{ fs.nfs.nfs_callback_tcpport = 32764 fs.nfs.nlm_tcpport = 32768 fs.nfs.nlm_udpport = 32768 }}} These settings can be reloaded without rebooting, then taken into account by the NFS kernel server using: {{{ sysctl --system /etc/init.d/nfs-kernel-server restart }}} The {{{sysctl}}} approach was successfully tested with Debian 7 “Wheezy”. |
|
Line 76: | Line 91: |
The ports listed above are just suggestions from the NFS-HOWTO. Listing here does not indicate that they are part of the [[http://www.iana.org/|IANA registry]], nor is it the only suggestion. Chris Lowth has a different list of ports but the concept is mostly the same. I chose the NFS-HOWTO ports, just because it is a popular and highly visible document. | The ports listed above are just suggestions from the NFS-HOWTO. Listing here does not indicate that they are part of the [[https://www.iana.org/|IANA registry]], nor is it the only suggestion. Chris Lowth has a different list of ports but the concept is mostly the same. I chose the NFS-HOWTO ports, just because it is a popular and highly visible document. |
Line 83: | Line 98: |
Other documents on the web including a [[http://forums.gentoo.org/viewtopic.php?t=77748|Gentoo NFS with firewalling forum topic]] and [[http://www.iana.org/assignments/sun-rpc-numbers|IANA's notes on Sun RPC numbers]] state that portmap does not allocate ports. The services request the next available port from the kernel and then register their port with portmap. | Other documents on the web including a [[https://forums.gentoo.org/viewtopic.php?t=77748|Gentoo NFS with firewalling forum topic]] and [[https://www.iana.org/assignments/sun-rpc-numbers|IANA's notes on Sun RPC numbers]] state that portmap does not allocate ports. The services request the next available port from the kernel and then register their port with portmap. |
Line 85: | Line 100: |
* http://forums.gentoo.org/viewtopic.php?t=77748 * http://www.iana.org/assignments/sun-rpc-numbers |
* https://forums.gentoo.org/viewtopic.php?t=77748 * https://www.iana.org/assignments/sun-rpc-numbers |
Line 110: | Line 125: |
CategorySystemSecurity | CategorySystemSecurity CategoryNetwork CategorySoftware |
Notes on applying the suggestions from the Security section of the NFS-HOWTO to Debian 4.0 (Etch). These settings should still work with Debian 3.1 (Sarge).
https://www.tldp.org/HOWTO/NFS-HOWTO/security.html
Firewalls
Firewall Friendly
When you set up a tight firewally, you go with the "deny all, allow some" paradigm. The ?SunRPC system was designed around the "trust the remote system" and the "make it simple for the admin, use dynamic ports" paradigm. Fortunatly, the services you use with NFS have port options to work better with your firewall.
The following examples are modifications to a Debian 3.1 (Sarge) (to Debian 6.0 (Squeeze) read comments at bottom of page) system with a 2.6 Linux kernel. In most cases they do not indicate the full contents of the files, just the parts that were modified.
It's easy to configure the port options for the statd, mountd and quotad RPC services, thanks to the use of /etc/default/* by the init-scripts
# /etc/default/nfs-common STATDOPTS="--port 32765 --outgoing-port 32766"
# /etc/default/nfs-kernel-server RPCMOUNTDOPTS="-p 32767"
# /etc/default/quota RPCRQUOTADOPTS="-p 32769"
The nfs daemon (rpc.nfsd or just nfsd) will listen on port 2049 by default if no port is specified.
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.
# /etc/services # NFS ports as per the NFS-HOWTO # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS # Listing here does not mean they will bind to these ports. rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.nfs-cb 32764/tcp # RPC nfs callback rpc.nfs-cb 32764/udp # RPC nfs callback rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 32767/tcp # RPC mountd rpc.mountd 32767/udp # RPC mountd rpc.lockd 32768/tcp # RPC lockd/nlockmgr rpc.lockd 32768/udp # RPC lockd/nlockmgr rpc.quotad 32769/tcp # RPC quotad rpc.quotad 32769/udp # RPC quotad
Kernel parameters: I created /etc/modprobe.d/local.conf to provide the lockd module with options.
# /etc/modprobe.d/local.conf options lockd nlm_udpport=32768 nlm_tcpport=32768 options nfs callback_tcpport=32764
Alternative to kernel parameters: These settings can be put into /etc/sysctl.conf or /etc/sysctl.d/nfs-static-ports.conf:
fs.nfs.nfs_callback_tcpport = 32764 fs.nfs.nlm_tcpport = 32768 fs.nfs.nlm_udpport = 32768
These settings can be reloaded without rebooting, then taken into account by the NFS kernel server using:
sysctl --system /etc/init.d/nfs-kernel-server restart
The sysctl approach was successfully tested with Debian 7 “Wheezy”.
Firewall Rules
Creating rules for your firewall for the above services should now be as simple as creating rules for more common services that bind to known ports, like http.
Shorewall
An example of allowing a firewall server make nfs mounts to an internal server. This rule set for the shorewall firewall allows traffic for portmap (111), nfs (2049). The mount program in Etch appears to prefer tcp connections to nfs and mountd, so we add tcp rules for all ports and ranges.
# Allow nfs mounts to local network ACCEPT fw loc udp 111 ACCEPT fw loc tcp 111 ACCEPT fw loc tcp 2049 ACCEPT fw loc udp 2049 ACCEPT fw loc tcp 32764:32769 ACCEPT fw loc udp 32764:32769
Notes
Port numbers are just suggestions.
The ports listed above are just suggestions from the NFS-HOWTO. Listing here does not indicate that they are part of the IANA registry, nor is it the only suggestion. Chris Lowth has a different list of ports but the concept is mostly the same. I chose the NFS-HOWTO ports, just because it is a popular and highly visible document.
Because ports 32768 and 32769 are in the ephemeral ports range, output of ss -l won't include service names for these ports.
Who creates the port?
The man pages of individual RPC programs like rpc.statd and rpc.portd as well as online documentation like the NFS-HOWTO at tldp.org claim that the portmapper assigns the random port used.
Other documents on the web including a Gentoo NFS with firewalling forum topic and IANA's notes on Sun RPC numbers state that portmap does not allocate ports. The services request the next available port from the kernel and then register their port with portmap.
It looks like some quick code checking and possible documentation patches are in order.
Error on Debian 6.0 (Squeeze)
By restarting this service below error occurs:
# /etc/init.d/nfs-kernel-server restart Starting NFS kernel daemon: nfsdrpc.nfsd: unable to resolve ANYADDR:nfs to inet address: Servname not supported for ai_socktype rpc.nfsd: unable to set any sockets for nfsd failed!
This occurs because the nfs service is not defined in /etc/services to solve this problem simply add an entry for nfs in /etc/services as below:
# /etc/services nfs 2049/tcp # Network File System nfs 2049/udp # Network File System