Solved

how to get nfsv4 mount working without using insecure mount option suse linux 11

Posted on 2014-11-26
8
489 Views
Last Modified: 2014-11-27
I'm trying to mount a filesystem with nfs4 on a dmz host, we allowed port 2049 through network firewall,

so mount is only working when given insecure option in /etc/exports in server.
We want it working with out that option, when tried we get

mount -t nfs4 -o defaults,timeo=14,intr,port=2049 server:/exportimport  /exportimport
mount.nfs4: Operation not permitted error on client

 and on server we see below message
 nfsd: request from insecure port x.x.x.x, port=49754!

Now is there a way to force client request secure ports during the mount..? and can that port be 2049 ..? can somebody explain please. thank you
Both machines nfs source and server are suse linux 11 sp2.
0
Comment
Question by:Anil_dasmala
  • 5
  • 3
8 Comments
 
LVL 11

Expert Comment

by:andreas
ID: 40468585
Secure port means, that the NFS-Client will use a port <=1024 to mount the NFS share on the server. This will ensure that no user without root privileges can forge NFS communications and access NFS ressources in a way not permitted.

You need to allow the client to access the server on the NFS port from (source port on the client) any port <=1024 to use NFS secure mount.

A good reading about NFS security can be found here:

http://nfs.sourceforge.net/nfs-howto/ar01s06.html

A reason why a strange insecure port for the mount to be used could be some kind of NAT on the way from the client to the server. e.G. behind a NAT-router or running inside a Virtual machine which NAT network bindings.
0
 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468609
Andreas, thank you for the comment, Yes  these are both virtual machines under vmware.
And can you please eloborate on how we can set that client to use priviliged ports / secure ports in linux..?

I know in aix there is an option called nfs_use_reserved_ports which can be used with nfso command and set. is there anything similar in linux..?
0
 
LVL 11

Expert Comment

by:andreas
ID: 40468619
If they are virtual. you NEED to use bridged networking with own IPs in the same LAN as the server. If you use internal IPs and NAT over the HOST os the secure mount iption will not work.

Im not aware of a way to influence the port mappings on the vmware NAT maybe others know a way if there is any. (ife never heared about it before).

So i would suggest:

setting the boxes networking to bridged mode and assign them free IPs of the same subnet as the host-OS.
0
 
LVL 1

Author Comment

by:Anil_dasmala
ID: 40468706
Unfortunately my requirement is to nfs mount inside  a vm which is in DMZ.
No chance for us to keep same ips in same subnet.

Between an aix machine and linux, i'm able to do it, but between two linux machines it demands for insecure.
May be I'm missing to configure something on linux client side.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Accepted Solution

by:
andreas earned 500 total points
ID: 40469252
you might put the vms in an own dmz net that is not doing NAT, the main problem seems the nat the vms seems configured right now.

what ip is assigned to the vm to the host and to the nfs server? if you cant/wont post this info here you need to explain how the vms are connected to the network.

with vm ware witth nat network im not aware of away to avoid insecure mounts.
0
 
LVL 1

Author Closing Comment

by:Anil_dasmala
ID: 40469295
Thank you for information, Andrew,  vm in dmz(nfs client) ip is 172.16.*.* and server nfs ip is a pubic ip.
Looks like there is no way to avoid or atleast not a simple way to avoid insecure nfs mounts. If you have some other suggestion and comments welcome.
0
 
LVL 11

Expert Comment

by:andreas
ID: 40469517
my suggestion is to use bridging with ips in an other subnet as the servers, this also could be private addresses, but then set your network up in a way that this private IPs are INTERNAL routable to the IP of the server without using NAT.

This new subnet also could be configured with similar access restricions as your DMZ. All Port blocks that NAT will provide could also be achived by normal packet filtering.
0
 
LVL 11

Expert Comment

by:andreas
ID: 40469541
Furthermore you might ask again here some vmware folks of how to configure the vmware according to the nat and networking.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now