Search Engine

Loading

Sallar

Sallar
RedhatEnterpriseLinux Blog

Installing and configring nfs-server step by step part 3


NFSD Firewall and SELinux Configuration
NFS is one of the many Red Hat services that can take advantage of TCP Wrappers as well as firewall rules for security. We don’t use TCP Wrappers here, but should you run into trouble on the exam with the NFS service not working, don’t forget to check to see whether anything is being filtered by TCP Wrappers. Because you are using NFS version 4 here, you need to create only a single firewall rule.


Step 1: Use iptables to create the additional firewall rules:
# iptables -I INPUT 5 -p tcp -m tcp --dport 2049 -j ACCEPT

Step 2. Save the firewall rules you just created:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables         [ OK ]

Step 3. Restart the iptables service:
# service iptables restart
iptables: Flushing firewall rules:                         [ OK ]
iptables: Setting chains to policy ACCEPT: filter         [ OK ]
iptables: Unloading modules:                                         [ OK ]
iptables: Applying firewall rules:                                    [ OK ]

To complete this section, let’s make some adjustments to SELinux for the NFS
service to function properly

Table SELinux Booleans
Booleans                               Description
nfs_export_all_ro              Allows NFS to share files and directories as read-only
nfs_export_all_rw             Allows NFS to share files and directories as read/write
httpd_use_nfs                    Allows httpd to access NFS file systems
use_nfs_home_dirs          Supports NFS home directories
samba_share_nfs              Allows Samba to export NFS volumes
allow_nfsd_anon_write  Allows NFS servers to modify public files
allow_ftpd_usr_nfs           Allows FTP servers to use NFS for public file transfer services

Step 1. Query for the Boolean value you need to change:
# getsebool -a | grep nfs
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
git_system_use_nfs --> off
httpd_use_nfs --> off
nfs_export_all_ro --> off
nfs_export_all_rw --> off
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> off
virt_use_nfs --> off
xen_use_nfs --> off
Step 2. Disable SELinux protection for only the options that you need:
# setsebool -P nfs_export_all_ro=1 nfs_export_all_rw=1
Step 3. Verify that the Boolean has changed:
# getsebool -a | grep nfs
allow_ftpd_use_nfs --> off
allow_nfsd_anon_write --> off
git_system_use_nfs --> off
httpd_use_nfs --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
qemu_use_nfs --> on
samba_share_nfs --> off
use_nfs_home_dirs --> off
virt_use_nfs --> off
xen_use_nfs --> off

Now your basic security requirements should be taken care of. The SELinux Booleans have been set and firewall rules added. Let’s look now at additional security you can provide for the NFS server.

Installing and configring nfs-server step by step part 4

Posted by Unknown at 2:24 PM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (RSS)
Powered by Blogger.

Ads

 
Copyright © Redhat Enterprise linux. Original Concept and Design by My Blogger Themes
My name is Abdul Razaq but people call me Raziq. Here is my home page: www.redhatenterpriselinux.blogspot.com I live in Quetta, Pakistan and work as an IT-Engineer.