[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: s-s-s-l-l-l-o-o-o-w-w-w nfs connect ???

mds@helices.org said:
>> is the fast client running portmap and the slow one not?
> Good catch!  Thank you.
> 
> How does the slow system, without portmap, ever get the connection?

It times out.

> Isn't portmap a security hole?

not unless you have a crappy portmap. Portmap itself is pretty simple,
and thus easily auditable. That makes it more trustworthy to me. The
other RPC services that portmap may be mapping are another story. But in
this case, you're only running portmap on the client.

The fact that you're using nfs at all shows that you're willing to risk
some exposure. I wouldn't use nfs on an untrusted network.

> Is this the ``right'' way to do this?

I believe so, but I'm no nfs admin. The failure you get without portmap
is this in your kernel log:

	portmap: server localhost not responding, timed out
	lockd_up: makesock failed, error=-5

So it seems that the client wants to see if lockd is running on
localhost, and times out when asking portmap about it.

If you're really concerned about security, just firewall everything but
localhost from accessing your sunrpc port. It looks like no remote
connections need to be made to it.

Jason
Reply to: