1752294
Members
4465
Online
108786
Solutions
SOLVED
HP-UX 11i v3 introduced Secure NFS where you can configure different levels of security on a per-filesystem basis. You can require Kerberos authentication before accessing data, checksum the data on both ends of the connection to ensure the data has not been tampered with, or completely encrypt the data on the wire so anyone sniffing packets cannot see any data.
The NFS Admin guide for 11i v3 describes how to configure this. I'm also going to be posting a technical paper on Secure NFS in the next week or so to docs.hp.com.
Regards,
Dave
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
> (* Wild Guess to what you want *) Can NFS
> it be used in a DMZ or go through a
> firewall? No. NFS uses different ports
> dynamically. For a DMZ or Firewall the
> assignments would have to be static.
I have many customers using NFS through a firewall. When you say NFS uses different ports dynamically I assume you're referring to the server side daemons like rpc.lockd, rpc.statd, rpc.mountd. Portmapper has always used port 111 and NFS always uses port 2049. So it's these other services that use dynamic ports.
We introduced the ability to assign static port numbers to these daemons a few years ago. This feature is available for HP-UX 11i v1/v2/v3. It allows you to force rpc.lockd to always use port 4045 (for example) rpc.statd to always use 4046 and rpc.mountd to always use 4047 - or whatever port numbers you choose. It's then pretty straight forward to configure the firewall to allow connections to these daemons.
Also, 11i v3 introduced NFS v4. There is no longer a separate MOUNT or LOCK protocol for NFS v4, so all requests go to port 2049. That makes configuring an NFS v4 server behind a firewall pretty easy.
As most people here have said, I don't know if this is what DharmaRao is asking about, but I hope this information helps others.
Regards,
Dave
> it be used in a DMZ or go through a
> firewall? No. NFS uses different ports
> dynamically. For a DMZ or Firewall the
> assignments would have to be static.
I have many customers using NFS through a firewall. When you say NFS uses different ports dynamically I assume you're referring to the server side daemons like rpc.lockd, rpc.statd, rpc.mountd. Portmapper has always used port 111 and NFS always uses port 2049. So it's these other services that use dynamic ports.
We introduced the ability to assign static port numbers to these daemons a few years ago. This feature is available for HP-UX 11i v1/v2/v3. It allows you to force rpc.lockd to always use port 4045 (for example) rpc.statd to always use 4046 and rpc.mountd to always use 4047 - or whatever port numbers you choose. It's then pretty straight forward to configure the firewall to allow connections to these daemons.
Also, 11i v3 introduced NFS v4. There is no longer a separate MOUNT or LOCK protocol for NFS v4, so all requests go to port 2049. That makes configuring an NFS v4 server behind a firewall pretty easy.
As most people here have said, I don't know if this is what DharmaRao is asking about, but I hope this information helps others.
Regards,
Dave
I work for HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]