Tuesday, February 22, 2011

Cisco Firewall Translation, RPC Portmapper, and NFS

I've posted before about problems using NFS with a Firewall which occur because of RPC. I think the correct way to solve the problem is to configure the NFS server so that RPC services like nlockmgr, rquotad, and mountd are hard coded. On a RedHat based system this comes down to uncommenting the following in /etc/sysconfig/nfs:

 RQUOTAD_PORT=875 
 LOCKD_TCPPORT=32803
 LOCKD_UDPPORT=32769
 MOUNTD_PORT=892
 STATD_PORT=662
and then configuring your firewall to allow only the above ports through in addition to RPC:tcp/udp 111 and NFS:tcp/udp 2049, for NFS.

Today I learned that if you are using a Cisco firewall it is possible to not do the above but to enable inspect rpc so that when port mapper tells the client to use random ports for services like nlockmgr, rquotad, and mountd, that the firewall will then dynamically open the same random port exclusively between the NFS client and NFS server. This surprised me as it seems odd to imagine a server asking the firewall to open a port because it wants to use it. What also surprised me is that for FWSM versions older than 3.2, this won't work if you use xlate-bypass. So, if you thought along the lines of "I don't need NAT, let's turn off xlates" and enabled xlate-bypass then you will break sunrpc. I am personally in favor of not using xlates nor sunrpc.

No comments: