[Bug 688446] Re: NFS needs firewall/NAT support
jhansonxi
688446 at bugs.launchpad.net
Thu Oct 3 01:15:23 UTC 2013
Fixed as of 4.1 as it only uses port 2049 now.
** Changed in: nfs-utils (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/688446
Title:
NFS needs firewall/NAT support
Status in “nfs-utils” package in Ubuntu:
Invalid
Bug description:
For firewalls and NAT, NFS is a major hassle. It uses several random
ports by default. If they are set static then every other client and
server has to use the same ones else they won't connect. For a laptop
users who need to connect to a private LAN with NFS and then to other
public WiFi hotspots or LANs of suspect security, they either have to
disable NFS (not easy) or block all ports with a firewall which then
gets in the way of private LAN usage.
There are two solutions. One is to set static ports by default and then create a firewall rule for them. The problem is that there are no standard ports except for portmap on 111 and nfsd on 2049. The commonly used unofficial ranges, 32765:32768 and 4000:4002, conflict with several other unofficial usages by other applications (like commercial games including Blizzard.net). I discovered this while working on a bunch of UFW application profiles (attached to bug# 659619). These ranges apparently come from:
http://tldp.org/HOWTO/NFS-HOWTO/security.html
http://www.lowth.com/LinWiz/nfs_help.html
A safer range I found is 4194-4198 (statd, statd_bc, mountd, lockd, and quota, respectively). To make these useful they would need to be standardized across distros and registered according to RFC4340 to discourage third-party conflicts:
http://tools.ietf.org/html/rfc4340#section-19.9
The better but more difficult solution is to develop a nf_conntrack
module for NFS which already exist for Samba and saned. This would
allow random ports to be used.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/688446/+subscriptions
More information about the foundations-bugs
mailing list