MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Connectivity

NFS II

* Customizing And Securing NFS
* NFS Pitfalls

Related Resources:

NFS HOWTO
NFS FAQ
man nfs, man exports, man mount

Revision / Modified: June 23, 2001
Author: Tom Berger

 

* Customizing And Securing NFS

Your setup works basically now, but if you want to use NFS on a regular you want more convenience and more security.
To mount NFS directories at boot time, you have to enter appropriate lines into /etc/fstab. Here, this line looks like this

192.168.1.75:/usr/export /mnt/disk nfs rw,hard,intr 0 0

Apart from the options, all entries should be clear (if not, read the article on mounting). rw stands for read and write, the other two specify what the client should do in case of an NFS server outage. With these options set, the process will hang until the server is back up and then carry on running.
Having entered that line and saved the fstab file, do a

service netfs restart

which will mount the NFS directory instantly (you will need portmap running on the clients for that). In future sessions this will be done automatically.

NFS isn't a secure protocol. There are safety rules you should keep in mind:

  • Do not use the 'no_root_squash' option. If you need safe root access, useSSH and su.

  • 'portmap' has had a number of serious security issues in the past. Therefore secure portmap via '/etc/hosts.deny' and '/etc/hosts.allow'. Enter

    portmap: ALL

    into '/etc/hosts.deny' and then use something like

    portmap: 192.168.1.0/255.255.255.0

    in '/etc/hosts.allow' to unblock portmap for the machines in the 192.168.1.* subnet exclusively. Or even only allow single machines by IP.man 5 hosts_access has more.
    Furthermore you should block the ports 111 (TCP/UDP), 745 (UDP), 747 (TCP) and 2049 (TCP/UDP) from all access by untrusted networks.

  • Do not connect the NFS server to the Internet. Protect the clients with a firewall. At least shut NFS down while connected.

  • NFS relies on the client to properly authenticate users. If your network has clients to which other people have root access, or which can be booted from a floppy, you have to consider that all NFS mounted data can be eventually read by any other user.

* section index * top

* NFS Pitfalls

  • Currently, ReiserFS and NFS do not work well together. You can install Linux from an NFS mount on ReiserFS partition, I've done that, but for bigger tasks you should rely on extfs2.

  • 'supermount' and NFS don't work together. To export a CD, unmount it and remount it with 'mount'.

  • /etc/exports is very picky about syntax: make sure you do noteventually leave an empty space between the client name and the option(s):

    "/etc/exports is VERY sensitive to whitespace - so the following statements are not the same:
    /export/dir hostname(rw,no_root_squash)
    /export/dir hostname (rw,no_root_squash)

    The first will grant hostname rw access to /export/dir without squashing root privileges. The second will grant hostname rw privs w/root squash and it will grant EVERYONE else read-write access, without squashing root privileges. Nice huh?" (NFS HOWTO)
  • NFS is a stateless protocol. Therefore a wrong configuration on the client can have serious consequences if the NFS server goes down. Do not mount NFS exported directories to / or directories which are part of users' or root's $PATH. Consider changing the options in /etc/fstab from 'hard,intr', to 'soft,timeo=300'. This allows processes to die after 30 seconds of server inactivity.

  • If you are installing ML via NFS, copy the content of the CDs onto the hard disk. You can't install from an NFS mounted CD. Copy the RPMS from the second, third etc CDs into the same directory where the RPMS from the first CD are. Apart from that, the process is pretty much the same like the other installation methods.

* section index * top

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.