NFS is one of the original network-based file sharing systems that was developed by Sun Corporation. NFS is one of the many services that Sun developed for their network architechure called RPC or Remote Procefure Call. The various other RPC services offer some amazing functionality such as remote quotas, remote WALLing people, etc. but for now, we will concentrate on NFS.
NFS is considered in many circles to be UN-SECURE. Because of this, few system admins are willing to run it in fear of losing security. Though there are many truthful aspects to this statement, NFS can be made to be more secure and limit its exploitability. To reduce any NFS-related security issues, take the following to heart:
1. Setup a strong packet firewall as shown in TrinityOS or setup a statefully-inspected firewall to protect your NFS server from unauthorized machines (expensive but the ultimate). See below on how to change the TrinityOS IPCHAINS or IPFWADM rule sets to allow in external NFS traffic
2. Setup TCP wrappers as shown below
3. Only allow NFS access from specific NFS clients via the firewall, TCP wrappers, and the /etc/exports file.
4. Even if a NFS hacker got in, they CANNOT traverse to other non-NFS'ed file systems . So, put all your NFS-sharable data on one specific file system. With this in place, you greatly limit your NFS risk.
Linux's NFS support somewhat slow. The reason for this is because the NFS support in Linux's 2.0.x and 2.1.x kernels are in what is called "user space". Because of this, the kernel doesn't have direct control and thus all NFS data transfers have to go through an excessive number of operating system layers. Fortunately, the upcoming Linux 2.2.x kernels will support NFS in "kernel space" which should bring its performance on par with many other UNIXes including the likes of Free/Open/Net-BSD.
There are several NFS optimizations that you can make to NFS but many of them can make NFS unstable. Once I have more time, I will document these tweaks but until then, the LDP's NFS-HOWTO located in /usr/doc/HOWTO or your local LDP mirror documents all this very well.
Down to it...
---
- First, you need to make sure that you compiled in NFS support into the Linux kernel as shown in Section 12. If you didn't, you will need to re-follow that section, enable NFS, compile the kernel, and reboot with the new kernel.
- Second, you need to specify what files on the NFS server you want to make available to remote NFS clients. To do this, create/edit the following file. All additional NFS shares should be put on their own line:
/etc/exports -- #NFS exports file # #In a pinch to backup a whole remote file system / 192.168.0.2(rw,no_root_squash) /home/hpe 192.168.0.2(rw) 192.168.0.4(ro) 192.168.0.10(ro,nosuid,noexec) --
In this configuration file, the first line will allow host 192.168.0.2 full read/write permissions to ALL files (root see's all) on the entire system. The second line will allow the 192.168.0.2 to both READ/WRITE to all files on the NFS server located in "/home/hpe" but only allow 192.168.0.4 READ ONLY access. 192.168.0.10, on the other hand, can only READ this volume and cannot RUN any programs from this NFS share.
In addition to all this, this config only allows users at the various IPs access files and directories which they ALREADY have UNIX permission to. NFS still enforces permissions based on the UserID and GroupID of the user.
There are a LOT of other options here that you might want to run (allow in a whole wildcarded domain, etc.) so check out the well written man page (man exports) or NFS-HOWTO.
- Next, Linux's NFS supports TCP Wrappers. Because of this, you need to configure TCPD to allow all of your desired clients to connect via NFS.
/etc/hosts.allow -- ALL: 192.168.0.2 portmap: 192.168.0.4/255.255.255.255 --
What this means is that host 192.168.0.2 is allowed to access ALL services on the server where as host 192.168.0.4 is ONLY allowed to connect via the RPC Portmapper service.
- Another area of security involves the IPFWADM and/or IPCHAINS packet firewalls. My default IPCHAINS and IPFWADM policies allow *ANY* type of traffic to hit the Linux server from the internal NIC but *REJECT* most types of traffic from the Internet. I would highly recommend that you do this as well. If you have specific needs to enable NFS on your Internet link, you will need to edit your IPCHAINS/IPFWADM rule file and allow:
Port 111 [TCP and UDP] - for the RPC portmapper Port 635 [UDP] - for the NFS mounter Port 2049 [TCP and UDP] - for NFS
For example, change the IPFWADM rule sets for your various EXPLICTITLY allowed-in hosts from Section 10 to add the above TCP and UDP ports:
Incoming traffic:
#secure1.host.com /sbin/ipfwadm -I -a accept -W $extif -P tcp -S $securehost/32 -D $extip ftp ftp-data ssh pop-3 635 # NFS support /sbin/ipfwadm -I -a accept -W $extif -P udp -S $securehost/32 -D $extip 111 635
Outgoing traffic:
#secure1.host.com /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 -D $securehost/32 ftp ftp-data ssh $unprivports #NFS traffic /sbin/ipfwadm -O -a accept -W $extif -P tcp -S $extip/32 635 -D $securehost/32 /sbin/ipfwadm -O -a accept -W $extif -P udp -S $extip/32 111 2049 -D $securehost/32
- Next, you need to load the RPC Portmapper, mountd, and NFS daemons. You can load them by hand by running the following commands:
Manually:
-- /usr/sbin/portmap /usr/sbin/rpc.mountd /usr/sbin/rpc.nfsd --
Redhat:
-- /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/nfs start --
If you want to run these services permanently, go back to the "Initial System Security Section" Section 8 and undo all NFS, RPC, and Portmapper-related changes for your specific Linux distribution.
- Ok, NFS should be running now. Just to make sure, run the following command and verify it's output:
[root@roadrunner iana]# rpcinfo -p program vers proto port 100000 2 tcp 111 rpcbind 100000 2 udp 111 rpcbind 100005 1 udp 635 mountd 100005 2 udp 635 mountd 100005 1 tcp 635 mountd 100005 2 tcp 635 mountd 100003 2 udp 2049 nfs 100003 2 tcp 2049 nfs
- Next, from the client machine that you want to mount a given NFS share, run
showmount 192.168.0.1
And see if you get a list of NFS shares.
- For the home stretch, lets try to mount the NFS server from an NFS client.
This example shows Linux as the client though any NFS-compatible client such as the various UNIXes, Windows 3.x/95/NT (with 3rd party software), etc. should work fine.
Mount the remote NFS share:
NOTE: Make sure that the client directory /mnt/nfs exists. If it doesn't, just do a "mkdir /mnt/nfs" first.
mount -t NFS 192.168.0.1:/home/hpe /mnt/nfs
- If all went well, the "mount" command should have executed quitely and returned you to the UNIX prompt. So go ahead and look around in the /mnt/nfs directory. You should see all of the remote files just as if they were local!