Is SuSE-FW2 able to enable NFS-ports (login from my LX-box to the server) in a way that the MAC-adress is checked and the port is only available to this machine? This would shorten security risks I guess.
This will work (I use it from /etc/sysconfig/scripts/SuSEfirewall2-custom) FW_ALLOW_NFS="" # These ports will be opened for access by the given host # (showmount -e seems to use tcp ports around 1200 damn... allow_nfs_ports_in() { echo " $1,tcp,111 $1,udp,111 $1,udp,2049 $1,udp,600:1399 $1,udp,2100:2499 " } if [ -n "$FW_ALLOW_NFS" -a "$FW_ALLOW_NFS" != no ]; then for host in $FW_ALLOW_NFS; do addnet=( `allow_nfs_ports_in $host` ) FW_TRUSTED_NETS="$FW_TRUSTED_NETS ${addnet[@]}" done echo "FW_TRUSTED_NETS=$FW_TRUSTED_NETS" fi Issues: It allows those ports on all interfaces, not just the one you want - if you only have one, fine. Those udp ports are a guess - security won't be much worse by just allowing 600:6000. If your mounts suddenlyhang (or the mount times out) check this. It doesn't allow for your MAC address checking. If you want finer control, you have to generate iptables rules yourself, at the correct point in the SuSEfirewall2 script. You'll probably find that you need to edit the script itself.
Is there any alternative to this ?
NFS is a pain. In theory, you need a packet filter which listens in on the portmaper exchange and on the fly opens and closes the udp ports actually being used. I practice, no (unless you implement the theory yourself). If there is another way afterall, please let me know as well... Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.