rpc.mountd
, rpc.statd
and lockd
. However, these services use a random port (assigned by the portmapper) by default, which makes it difficult to filter traffic targeting these services. The Falcot Corp administrators found a work-around for this problem, described below.
/etc/init.d/nfs-kernel-server
and /etc/init.d/nfs-common
. They provide configuration options to force ports; the relevant files to modify to always use these options are /etc/default/nfs-kernel-server
and /etc/default/nfs-common
.
Example 11.23. The /etc/default/nfs-kernel-server
file
# Number of servers to start up RPCNFSDCOUNT=8 # Options for rpc.mountd RPCMOUNTDOPTS="-p 2048"
Example 11.24. The /etc/default/nfs-common
file
# Options for rpc.statd. # Should rpc.statd listen on a specific port? # If so, set this variable to a statd argument like: "--port 1000". STATDOPTS="-p 2046 -o 2047" # Are you _sure_ that your kernel does or does not need a lockd daemon? # If so, set this variable to either "yes" or "no". NEED_LOCKD=
rpc.mountd
uses port 2048; rpc.statd
listens on port 2046 and uses port 2047 for outgoing connections.
lockd
service is handled by a kernel thread (lightweight process); this feature is built as a module on Debian kernels. The module has two options allowing to always choose the same port, nlm_udpport
and nlm_tcpport
. In order for these options to be systematically used, there needs to be a /etc/modprobe.d/lockd
file such as the following:
/etc/exports
, lists the directories that are made available over the network (exported). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:
/directory/to/share machine1(option1,option2,...) machine2(...) ...
*.falcot.com
or an IP address range such as 192.168.0.0/255.255.255.0
or 192.168.0.0/24
.
ro
option). The rw
option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the insecure
option (the secure
option is implicit, but it can be made explicit if needed for clarity).
sync
option); this can be disabled with the async
option. Asynchronous writes increase performance a bit, but they decrease reliability since there's a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
anonymous
user. This behavior corresponds to the root_squash
option, and is enabled by default. The no_root_squash
option, which disables this behavior, is risky and should only be used in controlled environments. The anonuid=uid
and anongid=gid
options allow specifying another fake user to be used instead of anonymous
.
mount
command and the /etc/fstab
file.
Example 11.26. Manually mounting with the mount
command
#
mount -t nfs -o rw,nosuid arrakis.interne.falcot.com:/srv/shared /shared
Example 11.27. NFS entry in the /etc/fstab
file
arrakis.interne.falcot.com:/srv/shared /shared nfs rw,nosuid 0 0
/srv/shared/
NFS directory from the arrakis
server into the local /shared/
directory. Read-write access is requested (hence the rw
parameter). The nosuid
option is a protection measure that wipes any setuid
or setgit
bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is noexec
, which prevents executing programs stored on the share.