NFS: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
m (Text replacement - "</source" to "</syntaxhighlight") |
|||
| (8 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Linux]] | [[Category:Linux]] | ||
Some things to know about NFS... | Some things to know about NFS... | ||
=NFSv3= | |||
==Server== | |||
===Bind rpc.mountd to specific port=== | |||
The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better. | |||
* /etc/default/nfs-kernel-server | |||
<syntaxhighlight lang=ini> | |||
RPCMOUNTDOPTS="--manage-gids --port 33333" | |||
</syntaxhighlight> | |||
===Bind statd to specific port=== | |||
You just need it if you still need protocols below NFSv4. | |||
* /etc/default/nfs-common | |||
<syntaxhighlight lang=ini> | |||
STATDOPTS="--port 33334 --outgoing-port 33335" | |||
</syntaxhighlight> | |||
===Bind lockd to specific port=== | |||
* /etc/sysctl.d/nfs-static-ports.conf | |||
<syntaxhighlight lang=ini> | |||
fs.nfs.nlm_tcpport = 33336 | |||
fs.nfs.nlm_udpport = 33336 | |||
</syntaxhighlight> | |||
Activate it without rebooting through: | |||
<syntaxhighlight lang=bash> | |||
# sysctl --load /etc/sysctl.d/nfs-static-ports.conf | |||
fs.nfs.nlm_tcpport = 33336 | |||
fs.nfs.nlm_udpport = 33336 | |||
</syntaxhighlight> | |||
===Configure ufw=== | |||
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too! | |||
* /etc/ufw/applications.d/nfs | |||
<syntaxhighlight lang=ini> | |||
[NFS-Server] | |||
title=NFS-Server | |||
description=NFS Server | |||
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp | |||
</syntaxhighlight> | |||
<syntaxhighlight lang=bash> | |||
# ufw allow from 172.16.16.16/28 to any app "NFS-Server" | |||
</syntaxhighlight> | |||
=NFSv4.1= | =NFSv4.1= | ||
| Line 7: | Line 50: | ||
* /etc/idmapd.conf | * /etc/idmapd.conf | ||
You should better set a Domain. Set the same Domain on server an client(s)! | You should better set a Domain. Set the same Domain on server an client(s)! | ||
< | <syntaxhighlight lang=ini> | ||
[General] | [General] | ||
... | ... | ||
| Line 16: | Line 59: | ||
... | ... | ||
</ | </syntaxhighlight> | ||
=== | ===Disable at least NFSv2=== | ||
* /etc/default/nfs-kernel-server | |||
<syntaxhighlight lang=ini> | |||
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2" | |||
RPCNFSDOPTS="--no-nfs-version 2" | |||
</syntaxhighlight> | |||
===Disable all but NFSv4 and higher=== | |||
* /etc/default/nfs-kernel-server | * /etc/default/nfs-kernel-server | ||
< | <syntaxhighlight lang=ini> | ||
RPCMOUNTDOPTS="--manage-gids --port 33333" | RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3" | ||
</ | NEED_STATD="no" | ||
NEED_IDMAPD="yes" | |||
RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3" | |||
</syntaxhighlight> | |||
===Configure ufw=== | ===Configure ufw=== | ||
For plain NFSv4 and up you just need this: | |||
<syntaxhighlight lang=bash> | |||
< | # ufw allow from 172.16.16.16/28 to any port 2049/tcp | ||
</syntaxhighlight> | |||
If you need still NFSv3 look above. | |||
===List clients that are connected=== | |||
</ | |||
< | <syntaxhighlight lang=bash> | ||
# | # cat /proc/fs/nfsd/clients/*/info | ||
</ | clientid: 0x7829c17160bf7066 | ||
address: "172.16.16.17:778" | |||
name: "Linux NFSv4.1 client01.domain.tld" | |||
minor version: 1 | |||
Implementation domain: "kernel.org" | |||
Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64" | |||
Implementation time: [0, 0] | |||
</syntaxhighlight> | |||
==Server and Client== | |||
Latest revision as of 03:52, 26 November 2021
Some things to know about NFS...
NFSv3
Server
Bind rpc.mountd to specific port
The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better.
- /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333"
Bind statd to specific port
You just need it if you still need protocols below NFSv4.
- /etc/default/nfs-common
STATDOPTS="--port 33334 --outgoing-port 33335"
Bind lockd to specific port
- /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336
Activate it without rebooting through:
# sysctl --load /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336
Configure ufw
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!
- /etc/ufw/applications.d/nfs
[NFS-Server]
title=NFS-Server
description=NFS Server
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp
# ufw allow from 172.16.16.16/28 to any app "NFS-Server"
NFSv4.1
Server
Configure rpc.idmapd
- /etc/idmapd.conf
You should better set a Domain. Set the same Domain on server an client(s)!
[General]
...
# set your own domain here, if it differs from FQDN minus hostname.
# you can use a fantasy name, but whatever it is, keep this identical on server and client!
Domain = myfantasy.domain
...
Disable at least NFSv2
- /etc/default/nfs-kernel-server
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2"
RPCNFSDOPTS="--no-nfs-version 2"
Disable all but NFSv4 and higher
- /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3"
NEED_STATD="no"
NEED_IDMAPD="yes"
RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3"
Configure ufw
For plain NFSv4 and up you just need this:
# ufw allow from 172.16.16.16/28 to any port 2049/tcp
If you need still NFSv3 look above.
List clients that are connected
# cat /proc/fs/nfsd/clients/*/info
clientid: 0x7829c17160bf7066
address: "172.16.16.17:778"
name: "Linux NFSv4.1 client01.domain.tld"
minor version: 1
Implementation domain: "kernel.org"
Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64"
Implementation time: [0, 0]
