HPE Community
Operating System - HP-UX
1847005 Members
4195 Online
110257 Solutions
New Discussion

Run NFS server with fixed ports

 
SOLVED
Go to solution
Markus Banfi_1
Advisor

‎11-21-2005 08:42 PM

‎11-21-2005 08:42 PM

Run NFS server with fixed ports

Hi everybody,

I'm trying to find a way to force my HP NFS server to use fixed ports (Firewall issue). As far as I found out the various NFS daemon processes do not have a "-p" option like in Linux to set a fixed port.

Has anybody achieved this task under HP-UX?


Thanks in advance for any tips.

-Markus-
Analyse - Simplify - Automate
0 Kudos
Reply
8 REPLIES 8
RAC_1
Honored Contributor

‎11-21-2005 08:47 PM

‎11-21-2005 08:47 PM

Re: Run NFS server with fixed ports

What OS?? Which NFS version??
As far as I know this is not possible without using latest NFS version.

NFS uses random port above 48000. Unless you install latest nfs version, this seems impossible.
There is no substitute to HARDWORK
0 Kudos
Reply
RAC_1
Honored Contributor

‎11-21-2005 09:00 PM

‎11-21-2005 09:00 PM

Solution

Re: Run NFS server with fixed ports

Check this thread. Check for Dave Olker's comment.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=646982
There is no substitute to HARDWORK
Reply
Markus Banfi_1
Advisor

‎11-21-2005 09:02 PM

‎11-21-2005 09:02 PM

Re: Run NFS server with fixed ports

I'm running HP-UX 11.11.

# what /usr/sbin/nfsd
/usr/sbin/nfsd:
nfsd.c $Date: 2001/08/28 11:58:31 $Revision: r11.11/3 PATCH_11.11 (PHNE_24035)

We use TCP and UDP connections with NFS protocol v3.
Analyse - Simplify - Automate
0 Kudos
Reply
Indrajit_1
Valued Contributor

‎11-21-2005 09:47 PM

‎11-21-2005 09:47 PM

Re: Run NFS server with fixed ports

Hello Markus,

The standard port number of NFS is 2049. if u allow the port 2049 in your Firewall, it should work fine..

Regards
Indrajit
Never Ever Give Up
0 Kudos
Reply
Markus Banfi_1
Advisor

‎11-21-2005 10:51 PM

‎11-21-2005 10:51 PM

Re: Run NFS server with fixed ports

Hi,

unfortunately allowing only port 2049 and 111 (portmapper) is not enough. Because some of the NFS traffic is happening on dynamically choosen ports (RPC).
Analyse - Simplify - Automate
0 Kudos
Reply
RAC_1
Honored Contributor

‎11-21-2005 11:13 PM

‎11-21-2005 11:13 PM

Re: Run NFS server with fixed ports

Check the thread I gave. In this thread Dave Olker clearly says, you need to have certain version to have this functionality.
There is no substitute to HARDWORK
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎11-22-2005 09:06 PM

‎11-22-2005 09:06 PM

Re: Run NFS server with fixed ports

NFS version 4.x on Linux specifically enables you to do this, and then integrate it with iptables. Perhaps you can download and recompile this for HP-UX?

First assign a permanent port number to each of the NFS services (rquotad, mountd, statd, and lockd). While they can use any unused ports greater than 1024, it is recommended that you first consult the file /etc/services to find a valid unused port range. The following examples use the range 10000-10005.

The majority of the ports are configured through the file /etc/sysconfig/nfs. You will need to create this file if it does not exist. It should look similar to the following example:

# NFS port numbers
STATD_PORT=10002
STATD_OUTGOING_PORT=10003
MOUNTD_PORT=10004
RQUOTAD_PORT=10005

The lockd service is configured differently from the others because it is compiled as a kernel module. To set the port which lockd uses, add a line similar to the following to the end of /etc/modprobe.conf:

options lockd nlm_tcpport=10000 nlm_udpport=10001

In order for the changes to take effect, the module must be reloaded if it is already in use. You can use the commands rmmod and modprobe to reload the lockd module; however if there are module dependencies currently in use, a system restart may be required.

After these configuration changes, you can view the port assignments with the rpcinfo -p command:

At this point, the ports will remain the same when NFS is restarted. The following is a list of ports which need to be opened on the firewall:

* 111: portmap (tcp/udp)
* 2049: nfs (tcp/udp)
* 10000: example lockd (tcp)
* 10001: example lockd (udp)
* 10002: example statd/status (tcp/udp)
* 10003: example statd/status outgoing (tcp/udp)
* 10004: example mountd (tcp/udp)
* 10005: example rquotad (tcp/udp)

You can now open these ports on the firewall to allow remote clients to mount a share on the server. If you are using iptables, the following commands can be used to add inbound/outbound rules to allow access to these ports. Note that this is only an example, as your specific firewall rules may differ:

iptables -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 111 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 111 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 2049 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10001 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 10002:10005 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
0 Kudos
Reply
Markus Banfi_1
Advisor

‎11-24-2005 12:53 AM

‎11-24-2005 12:53 AM

Re: Run NFS server with fixed ports

Hi everybody,

thanks for all your suggestions.
I filed a support case at HP about this question.

The answer:
There is an enhancement request at HP (JAGae78909) about this which is approved but not implemented yet.
Our solution for now will be to let the firewall (Checkpoint/Cisco PIX) analyze the packages contents and filter based on RPC information instead of simple port numbers. I'm sure this will fix our current issue.
See also:
http://www5.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000073906839


Best regards,
-Markus-
Analyse - Simplify - Automate
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.