Avatar of Anil_dasmala
Anil_dasmala
 asked on

how to get nfsv4 mount working without using insecure mount option suse linux 11

I'm trying to mount a filesystem with nfs4 on a dmz host, we allowed port 2049 through network firewall,

so mount is only working when given insecure option in /etc/exports in server.
We want it working with out that option, when tried we get

mount -t nfs4 -o defaults,timeo=14,intr,port=2049 server:/exportimport  /exportimport
mount.nfs4: Operation not permitted error on client

 and on server we see below message
 nfsd: request from insecure port x.x.x.x, port=49754!

Now is there a way to force client request secure ports during the mount..? and can that port be 2049 ..? can somebody explain please. thank you
Both machines nfs source and server are suse linux 11 sp2.
LinuxNetworking ProtocolsLinux Networking

Avatar of undefined
Last Comment
Member_2_406981

8/22/2022 - Mon
Member_2_406981

Secure port means, that the NFS-Client will use a port <=1024 to mount the NFS share on the server. This will ensure that no user without root privileges can forge NFS communications and access NFS ressources in a way not permitted.

You need to allow the client to access the server on the NFS port from (source port on the client) any port <=1024 to use NFS secure mount.

A good reading about NFS security can be found here:

http://nfs.sourceforge.net/nfs-howto/ar01s06.html

A reason why a strange insecure port for the mount to be used could be some kind of NAT on the way from the client to the server. e.G. behind a NAT-router or running inside a Virtual machine which NAT network bindings.
Anil_dasmala

ASKER
Andreas, thank you for the comment, Yes  these are both virtual machines under vmware.
And can you please eloborate on how we can set that client to use priviliged ports / secure ports in linux..?

I know in aix there is an option called nfs_use_reserved_ports which can be used with nfso command and set. is there anything similar in linux..?
Member_2_406981

If they are virtual. you NEED to use bridged networking with own IPs in the same LAN as the server. If you use internal IPs and NAT over the HOST os the secure mount iption will not work.

Im not aware of a way to influence the port mappings on the vmware NAT maybe others know a way if there is any. (ife never heared about it before).

So i would suggest:

setting the boxes networking to bridged mode and assign them free IPs of the same subnet as the host-OS.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Anil_dasmala

ASKER
Unfortunately my requirement is to nfs mount inside  a vm which is in DMZ.
No chance for us to keep same ips in same subnet.

Between an aix machine and linux, i'm able to do it, but between two linux machines it demands for insecure.
May be I'm missing to configure something on linux client side.
ASKER CERTIFIED SOLUTION
Member_2_406981

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Anil_dasmala

ASKER
Thank you for information, Andrew,  vm in dmz(nfs client) ip is 172.16.*.* and server nfs ip is a pubic ip.
Looks like there is no way to avoid or atleast not a simple way to avoid insecure nfs mounts. If you have some other suggestion and comments welcome.
Member_2_406981

my suggestion is to use bridging with ips in an other subnet as the servers, this also could be private addresses, but then set your network up in a way that this private IPs are INTERNAL routable to the IP of the server without using NAT.

This new subnet also could be configured with similar access restricions as your DMZ. All Port blocks that NAT will provide could also be achived by normal packet filtering.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Member_2_406981

Furthermore you might ask again here some vmware folks of how to configure the vmware according to the nat and networking.