-The portmapper on Linux is called either The portmapper on FreeBSD is called . Which I,
@@ -157,24 +157,23 @@
use./ There is a separate section in this HOWTO about other Unixes
Now we're set to start mountd (or maybe it's called Now we're set to start mountd
+and then nfsd. They will both
read the exports file.
If you edit /etc/exports you will have to make sure nfsd
and mountd knows that the files have changed. The traditonal way is
-to run
#!/bin/sh
-killall -HUP /usr/sbin/rpc.mountd
-killall -HUP /usr/sbin/rpc.nfsd
+/bin/kill -HUP `/bin/cat /var/run/mountd.pid`
echo re-exported file systems
-
Save it in, say, /usr/sbin/exportfs , and don't forget to
+
Save it in, say, /usr/local/sbin/exportfs , and don't forget to
Setting up a NFS client
First you will need a kernel with the NFS file system either
-compiled in or available as a module. This is configured before you
-compile the kernel. If you have never compiled a kernel before you
-might need to check the kernel HOWTO and figure it out. If you're
-using a very cool distribution (like Red Hat) and you've never fiddled
-with the kernel or modules on it (and thus ruined it ;-), nfs is
-likely automagicaly available to you.
+compiled in or available as a module. This is configured in the GENERIC
+FreeBSD kernel for you.
You can now, at a root prompt, enter a appropriate mount command and
the file system will appear. Continuing the example in the previous
@@ -259,7 +254,7 @@
as this is required:
-# device mountpoint fs-type options dump fsckorder
+# Device Mountpoint FStype Options Dump Pass#
...
eris:/mn/eris/local /mnt nfs rsize=1024,wsize=1024 0 0
...
@@ -294,7 +289,7 @@
Picking up the previous example, this is now your fstab entry:
-# device mountpoint fs-type options dump fsckorder
+# Device Mountpoint FStype Options Dump Pass#
...
eris:/mn/eris/local /mnt nfs rsize=1024,wsize=1024,hard,intr 0 0
...
@@ -304,8 +299,8 @@
Optimizing NFS
Normally, if no rsize and wsize options are specified NFS will read
-and write in chunks of 4096 or 8192 bytes. Some combinations of Linux
-kernels and network cards cannot handle that large blocks, and it
+and write in chunks of 4096 or 8192 bytes. Some
+network cards cannot handle that large blocks, and it
might not be optimal, anyway. So we'll want to experiment and find a
rsize and wsize that works and is as fast as possible. You can test
the speed of your options with some simple commands. Given the mount
@@ -341,7 +336,7 @@
have different optimal sizes. SunOS and Solaris is reputedly a lot
faster with 4096 byte blocks than with anything else.
-
Newer Linux kernels (since 1.3 sometime) perform read-ahead for
+
Newer FreeBSD kernels (since 3.0) perform read-ahead for
rsizes larger or equal to the machine page size. On Intel CPUs the
page size is 4096 bytes. Read ahead will
-/dir -async,access=linuxbox
+/dir -async,access=freebsdbox
or something similar. Please refer to the exports man page on the
@@ -587,10 +582,10 @@
servers root account. In the NFSd man page there are several other
squash options listed so that you can decide to mistrust whomever you
(don't) like on the clients. You also have options to squash any UID
-and GID range you want to. This is described in the Linux NFSd man
+and GID range you want to. This is described in the FreeBSD NFSd man
page.
-
root_squash is in fact the default with the Linux NFSd, to grant
+
root_squash is in fact the default with the FreeBSD NFSd, to grant
root access to a filesystem use Another important thing is to ensure that nfsd checks that all it's
@@ -598,7 +593,7 @@
any old port on the client a user with no special privileges can run a
program that's is easy to obtain over the Internet. It talks nfs
protocol and will claim that the user is anyone the user wants to be.
-Spooky. The Linux nfsd does this check by default, on other OSes you
+Spooky. The FreeBSD nfsd does this check by default, on other OSes you
have to enable this check yourself. This should be described in the
nfsd man page for the OS.
@@ -609,74 +604,9 @@
The basic portmapper, in combination with nfsd has a design problem
that makes it possible to get to files on NFS servers without any
-privileges. Fortunately the portmapper Linux uses is relatively
-secure against this attack, and can be made more secure by configuring
-up access lists in two files.
+privileges. Fortunately the portmapper FreeBSD uses is relatively
+secure against this attack.
-
First we edit /etc/hosts.deny . It should contain the line
-
-
-portmap: ALL
-
-
-which will deny access to /etc/hosts.allow
.
-But first we need to figure out what to put in it. It should
-basically list all machines that should have access to your
-portmapper. On a run of the mill Linux system there are very few
-machines that need any access for any reason. The portmapper
-administrates nfsd, mountd, ypbind/ypserv, pcnfsd, and 'r' services
-like ruptime and rusers. Of these only nfsd, mountd, ypbind/ypserv
-and perhaps pcnfsd are of any consequence. All machines that needs to
-access services on your machine should be allowed to do that. Let's
-say that your machines address is 129.240.223.254 and that it lives on
-the subnet 129.240.223.0 should have access to it (those are terms
-introduced by the networking HOWTO, go back and refresh your memory if
-you need to). Then we write
-
-
-portmap: 129.240.223.0/255.255.255.0
-
-
-in
-...
-eth0 Link encap:10Mbps Ethernet HWaddr 00:60:8C:96:D5:56
- inet addr:129.240.223.254 Bcast:129.240.223.255 Mask:255.255.255.0
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:360315 errors:0 dropped:0 overruns:0
- TX packets:179274 errors:0 dropped:0 overruns:0
- Interrupt:10 Base address:0x320
-...
-
-
-and
-Kernel routing table
-Destination Gateway Genmask Flags Metric Ref Use Iface
-...
-129.240.223.0 0.0.0.0 255.255.255.0 U 0 0 174412 eth0
-...
-
-
-(Network address in first column).
-
-The The above things should make your server tighter. The only
-remaining problem (Yeah, right!) is someone breaking root (or boot
-MS-DOS) on a trusted machine and using that privilege to send requests
-from a secure port as any user they want to be.
NFS and firewalls
@@ -692,13 +622,13 @@
Summary
-If you use the hosts.allow/deny, root_squash, nosuid and privileged
+
If you use the nosuid and privileged
port features in the portmapper/nfs software you avoid many of the
presently known bugs in nfs and can almost feel secure about /home
/var/spool/mail are mounted over NFS. For the same reason,
+/var/mail are mounted over NFS. For the same reason,
you should never access your PGP private key over nfs. Or at least
you should know the risk involved. And now you know a bit of it.
@@ -706,10 +636,10 @@
it's not totally unlikely that new bugs will be discovered, either in
the basic design or the implementation we use. There might even be
holes known now, which someone is abusing. But that's life. To keep
-abreast of things like this you should at least read the newsgroups
- and at a
+abreast of things like this you should at least read the mailing lists
+
+at a
absolute minimum.
Mount Checklist
@@ -761,10 +691,7 @@
The HOWTO author recommends using NTP to synchronize clocks. Since
-there are export restrictions on NTP in the US you have to get NTP for
-debian, redhat or slackware from
-ftp://ftp.hacktic.nl/pub/replay/pub/linux or a mirror.
+The HOWTO author recommends using NTP to synchronize clocks.
- The server can not accept a mount from a user that is in more
than 8 groups.
@@ -774,93 +701,10 @@
-
FAQs
-
-This is the FAQ section. Most of it was written by Alan Cox.
-
-
-
- - I get a lot of 'stale nfs handle' errors when using Linux as
- a nfs server.
-
-
This is caused by a bug in some oldish nfsd versions. It is
- fixed in nfs-server2.2beta16 and later.
-
- - When I try to mount a file system I get
-
-
- can't register with portmap: system error on send
- You are probably using a Caldera system. There is a bug in the
- rc scripts. Please contact Caldera to obtain a fix.
-
- - Why can't I execute a file after copying it to the NFS server?
-
-
The reason is that nfsd caches open file handles for performance
- reasons (remember, it runs in user space). While nfsd has a file
- open (as is the case after writing to it), the kernel won't allow
- you to execute it. Nfsds newer than ~spring 95 release open files
- after a few seconds, older ones would cling to them for days.
-
- - My NFS files are all read only
-
-
The Linux NFS server defaults to read only. RTFM the ``exports''
- and nfsd manual pages. You will need to alter /etc/exports .
-
- - I mount from a linux nfs server and while ls works I can't
- read or write files.
-
-
On older versions of Linux you must mount a NFS servers with
- I mount from a Linux NFS server with a block size of between
- 3500-4000 and it crashes the Linux box regularly
-
-
Basically don't do it then.
-
- - Can Linux do NFS over TCP
-
-
No, not at present.
-
- - I get loads of strange errors trying to mount a machine from a
- Linux box.
-
-
Make sure your users are in 8 groups or less. Older servers
- require this.
-
- - When I reboot my machine it sometimes hangs when trying to
- unmount a hung NFS server.
-
-
Do Linux NFS clients are very slow when writing to Sun and BSD
- systems
-
- NFS writes are normally synchronous (you can disable this if you
- don't mind risking losing data). Worse still BSD derived kernels
- tend to be unable to work in small blocks. Thus when you write 4K of
- data from a Linux box in the 1K packets it uses BSD does this
-
-
- read 4K page
- alter 1K
- write 4K back to physical disk
- read 4K page
- alter 1K
- write 4K page back to physical disk
- etc..
-
-
-
Exporting filesystems
The way to export filesytems with NFS is not completely consistent
-across platforms of course. In this case Linux and Solaris 2 are the
+across platforms of course. In this case FreeBSD and Solaris 2 are the
deviants. This section lists, superficially the way to do it on most
systems. If the kind of system you have is not covered you must check
your OS man-pages. Keywords are: nfsd, system administration tool, rc