Hi,
First, if you are searching for port numbers, they are available in /etc/services.
Second, if you are not sure if your firewall is blocking something, enable logging for DENIED packages. This helps much in most cases.
Third, nfs may be on port 2049 - or an port 1110 (please verify that in your /etc/services).
NFS is an rpc service. This implies that the port numbers are subject to changes / are not necessarily the same every time the service starts. Take a look at the output from `rpcinfo -p' and the manpages. It is not only port 2049 that has to be taken into account. Filter rules for NFS traffic can thereby only be dynamic rules, set up automatically or manually. This might be very difficult to handle, which is why most admins chose to not let the traffic pass in any way. In addition, the amount of code involved in NFS and RPC is by far not neglectable and complicated. The likelyness of finding security-related bugs may be higher in bigger packages than in others.
ksemat@wawa.eahd.or.ug schrieb:
I don't use the firewals package but almost all ipchains firewalls I have seen have specific port blocks for NFS and samba and microsoft SQL but this should not apply to your LAN look at the actuall script and see whether it blocks them out. On Sun, 30 Jul 2000, root wrote:
Date: Sun, 30 Jul 2000 23:15:12 +0200 From: root <dustbin@bing.net> To: suse-security@suse.com Subject: [suse-security] firewals package and NFS
Hi! I've got a little problem with the firewals package. Everything works fine but now I want to import filesystems from another computer in the LAN but it seems to me that the firewal is denying all TCP/IP packages which should be send to the network. So my question is: Which services must I allow in rc.firewall.conf that NFS packages get through the firewall? (I'm using SUSE Linux 6.3 with Kernel NFS)
Thanx Benjamin Jungbluth Noah ksemat@eahd.or.ug
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -