Red Hat Bugzilla – Bug 473964
mount daemon port random, so iptables can't be used by default
Last modified: 2009-06-11 11:24:42 EDT
Description of problem:
the port used by rpc.mountd is randomized by default, as a result
it's impossible to add it to the firewall tables when asking to open NFS
Version-Release number of selected component (if applicable):
nfs-utils-1.0.9-35z.el5_2 in RHEL
Steps to Reproduce:
1. /etc/init.d/nfs start
2. netstat -ulpn
3. see the port for mountd it's not a predefined one
get a random port.
get a predefined port, get the system-config-securitylevels
to open that port when asking to open NFS
This prevent using iptables when setting up and NFS server unless
one manage to guess why the mount packets are filtered out and how
to fix this in a stable way
It is true, by default, rpc.mountd does bind to random ports,
but rpc.mountd can be tied to a particular port by using the
"--port" option. The easiest way would be to set the RPCNFSDARGS
variable in /etc/sysconfig/nfs.
Is there a reason the --port option can not be used?
Is there a reason it is not used by default? :)
It took me a while to find out there was a random port which needed
to be added to iptables, then to find out it was random and how to
fix it in /etc/sysconfig/nfs . There is also a number of other random
port which might be set up in that config file.
Basically I really didn't want to just drop down iptables but that
was by very far the easiest way. We should not put users in front of
the dilemna of chasing out random port needed by undocumented servers
or just drop security. I think it's our dutie to allow NFS to work
once the user has selected NFS in system-config-securitylevels firewall
setting. And that requires a fixed port by default as far as I understand.
> Is there a reason it is not used by default? :)
What should the defaults be?? As soon as we hard code
a port and daemons start failing because they can't
bind to that port (due to the fact its not free) will
not be good either...
> I think it's our dutie to allow NFS to work once the user has selected NFS in
> system-config-securitylevels firewall setting. And that requires a fixed port
> by default as far as I understand.
Not so much "fixed" ports but registered ports similar to the ones in
/etc/services. That way each daemon could do a getservbyname() call and
find out which port it should use. But then again, what happens if that
port is taken and the bind fails? Should the daemon try for another
port or just fail?
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
I'm going to close this as not a bug since there are ways
to set static port number which do seem to work.