We have explained how to install and configure NFS servers. Here we will mainly discuss NFS security and resource usage issues. First, let's take a look at NFS security issues. In some firewall configurations, we can perform the following operations.
NFS security questions:
1 Iptables Firewall
If our NFS server is behind the firewall, you need to add the following policies to the fire prevention policy:
- -A INPUT -p tcp -m state --state NEW -m multiport --dport 111,2049,4001,32764:32767 -j ACCEPT
- -A INPUT -p udp -m state --state NEW -m multiport --dport 111,2049,4001,32764:32767 -j ACCEPT
2. Use/etc/hosts. allow and/etc/hosts. deny to control Client Access
The/etc/hosts. allow and/etc/hosts. deny files are the configuration files of The tcpd server. The tcpd server can control the access of external IP addresses to local services. The two configuration files are in the following format:
# Service process name: Host list: optional command operation when the rule matches
- server_name:hosts-list[:command]
/Etc/hosts. allow controls access to the local IP address, and/etc/hosts. deny controls prohibit access to the local IP address. If the configurations of the two files conflict, use/etc/hosts. deny. The following is an example of/etc/hosts. allow:
- ALL: 127.0.0.1 # Allow the local machine to access ALL service processes on the local machine
- Smbd: 192.168.0.0/255.255.255.0 # Allow IP addresses of the 192.168.0. network segment to access the smbd service
The "ALL" keyword matches ALL cases. The "Deny t" keyword matches ALL cases EXCEPT some items. PARANOID matches the IP address you want to control and the domain name does not match (the domain name is disguised.
For example, set the/etc/hosts. deny file on the server as follows:
- # cat /etc/hosts.deny
- portmap:192.168.102.15
Then load the shared directory on the client 192.168.102.15.
- # mount 192.168.102.47:/home/share /mnt
- mount to NFS server '192.168.102.47' failed.
We found that the shared directory cannot be loaded now.
Resource usage
In addition to using the mount command to manually mount shared resources, you can also use other methods to automatically mount shared resources:
1. automatic mounting upon startup
Modify the/etc/fstab file of the client and add the following lines:
- 192.168.102.47:/home/share /mnt nfs rsize=8192,wsize=8192,timeo=14,intr
Restart the client to automatically mount shared resources when the system starts.
2. Use autofs to mount Resources
Autofs uses the automount daemon to manage your mount points. It dynamically mounts them only when the file system is accessed. Autofs queries the master configuration file/etc/auto. master to determine which mount points to define. Then, it starts the automount process using parameters that apply to each mount point. Each row in the main configuration defines a mount point, and then uses a separate configuration file to define the file system to be mounted under the mount point
.
Install autofs on the NFS server
- # aptitude install autofs
Modify the/etc/auto. master File and add the following content:
- /mnt /etc/auto.nfs
Create the/etc/auto. nfs file as follows:
- nfs -rw,soft,intr,rsize=8192,wsize=8192 192.168.102.47:/home/share
In this way, whenever you enter the/mnt/nfs directory, the system will try to mount the server's shared resources to this directory. Note that the nfs directory is dynamically created by automount and does not exist on the customer's machine.
- tonybox2:/# cd /mnt
- tonybox2:/mnt# ls
- tonybox2:/mnt# cd nfs
- tonybox2:/mnt/nfs# ls
- 123
- tonybox2:/mnt/nfs# ls -l
- total 4
- -rw-r--r-- 1 nobody nogroup 6 2006-08-22 07:50 123
- tonybox2:/mnt/nfs#
If the/etc/auto. master configuration file is modified, run
- #/etc/init.d/autofs reload
Reload the NFS server.