NFS server resource usage Problems

We have explained how to install and configure NFS servers. Here we will mainly discuss NFS security and resource usage issues. First, let's take a look at NFS security issues. In some firewall configurations, we can perform the following operations.

NFS security questions:

1 Iptables Firewall

If our NFS server is behind the firewall, you need to add the following policies to the fire prevention policy:

 
 

  
  
-A INPUT -p tcp -m state --state NEW -m multiport --dport 111,2049,4001,32764:32767 -j ACCEPT  
  
  
-A INPUT -p udp -m state --state NEW -m multiport --dport 111,2049,4001,32764:32767 -j ACCEPT 
 
 

2. Use/etc/hosts. allow and/etc/hosts. deny to control Client Access

The/etc/hosts. allow and/etc/hosts. deny files are the configuration files of The tcpd server. The tcpd server can control the access of external IP addresses to local services. The two configuration files are in the following format:

# Service process name: Host list: optional command operation when the rule matches

 
 

  
  
server_name:hosts-list[:command] 
 
 

/Etc/hosts. allow controls access to the local IP address, and/etc/hosts. deny controls prohibit access to the local IP address. If the configurations of the two files conflict, use/etc/hosts. deny. The following is an example of/etc/hosts. allow:

 
 

  
  
ALL: 127.0.0.1 # Allow the local machine to access ALL service processes on the local machine
  
  
Smbd: 192.168.0.0/255.255.255.0 # Allow IP addresses of the 192.168.0. network segment to access the smbd service
 
 

The "ALL" keyword matches ALL cases. The "Deny t" keyword matches ALL cases EXCEPT some items. PARANOID matches the IP address you want to control and the domain name does not match (the domain name is disguised.

For example, set the/etc/hosts. deny file on the server as follows:

 
 

  
  
# cat /etc/hosts.deny  
  
  
portmap:192.168.102.15 
 
 

Then load the shared directory on the client 192.168.102.15.

 
 

  
  
#  mount 192.168.102.47:/home/share /mnt  
  
  
mount to NFS server '192.168.102.47' failed. 
 
 

We found that the shared directory cannot be loaded now.

Resource usage

In addition to using the mount command to manually mount shared resources, you can also use other methods to automatically mount shared resources:

1. automatic mounting upon startup

Modify the/etc/fstab file of the client and add the following lines:

 
 

  
  
192.168.102.47:/home/share      /mnt    nfs     rsize=8192,wsize=8192,timeo=14,intr 
 
 

Restart the client to automatically mount shared resources when the system starts.

2. Use autofs to mount Resources

Autofs uses the automount daemon to manage your mount points. It dynamically mounts them only when the file system is accessed. Autofs queries the master configuration file/etc/auto. master to determine which mount points to define. Then, it starts the automount process using parameters that apply to each mount point. Each row in the main configuration defines a mount point, and then uses a separate configuration file to define the file system to be mounted under the mount point
.
Install autofs on the NFS server

 
 

  
  
# aptitude  install autofs 
 
 

Modify the/etc/auto. master File and add the following content:

 
 

  
  
/mnt      /etc/auto.nfs 
 
 

Create the/etc/auto. nfs file as follows:

 
 

  
  
nfs -rw,soft,intr,rsize=8192,wsize=8192 192.168.102.47:/home/share 
 
 

In this way, whenever you enter the/mnt/nfs directory, the system will try to mount the server's shared resources to this directory. Note that the nfs directory is dynamically created by automount and does not exist on the customer's machine.

 
 

  
  
tonybox2:/# cd /mnt  
  
  
tonybox2:/mnt# ls  
  
  
tonybox2:/mnt# cd nfs  
  
  
tonybox2:/mnt/nfs# ls  
  
  
123  
  
  
tonybox2:/mnt/nfs# ls -l  
  
  
total 4  
  
  
-rw-r--r-- 1 nobody nogroup 6 2006-08-22 07:50 123  
  
  
tonybox2:/mnt/nfs# 
 
 

If the/etc/auto. master configuration file is modified, run

 
 

  
  
#/etc/init.d/autofs reload 
 
 

Reload the NFS server.