26 May 2007

Firewalling NFS, testing SMTP

Yesterday I found a useful Web page explaining how to use Linux iptables to firewall an NFS server. Firewalling NFS is complicated, because NFS picks random listener ports when it starts up. But by following the instructions on this page, you can edit a few files to tell NFS which ports to use:


If you are using Red Hat (or something similar, like CentOS), you only have to edit /etc/modprobe.conf, /etc/sysconfig/nfs, and /etc/services. The only thing I'd add to this tutorial is that you can just put something like 'STATD_PORT=4000' in /etc/sysconfig/nfs, rather than hardcoding the rpc.statd port number in the nfslock startup file. Then you can use iptables to control access to the following ports (tcp and udp for each port): 111, 2049, 4000, 4001, 4002, and 4003. I actually had to reboot to get nfslock to start up on port 4001. Oh, well.

Another useful Web page shows how to run an SMTP session using telnet (you could also use netcat):


One useful application of this technique is testing the access rules of an SMTP server (for example, making sure you're not inadvertently relaying for certain hosts).

No comments: