5

Title says it. mount is occasionally making NFS mount/unmount requests from insecure ports. I believe the issue is being caused by all of the secure ports being stuck in TIME_WAIT after periods of very high mounting activity (amd). Is there any way to change this behavior? I don't want requests being sent from insecure ports, whether there are available secure ports or not. I'd rather the mount hang while it waits for a secure port. Allowing requests from insecure ports on the NFS servers is not an option.

I didn't see anything in the man pages for mount, nfs, or mount.nfs for controlling this. To alleviate the issue, I tried net.ipv4.tcp_tw_reuse=1, but it didn't seem to help.

Thanks in advance.

Christopher Neylan
  • 487
  • 5
  • 15

1 Answers1

1

Why not use iptables to block these port (ranges) you don't want to be used. Make sure to make it a reject rule and not drop it, in the latter case it may take longer because the connection attempt is timing out.

A typical rule could look like this:

    /sbin/iptables -I OUTPUT -d 0/0 -j REJECT --reject-with icmp-net-prohibited -p tcp --dport XX -o ethX
    /sbin/iptables -I OUTPUT -d 0/0 -j REJECT --reject-with icmp-net-prohibited -p udp --dport XX -o ethX

For port range use:

--dport XX:YY

For incoming:

    /sbin/iptables -I INPUT -s 0/0 -j REJECT --reject-with icmp-net-prohibited -p tcp --dport XX -i ethX
    /sbin/iptables -I INPUT -s 0/0 -j REJECT --reject-with icmp-net-prohibited -p udp --dport XX -i ethX

Update: maybe adding the right options to rpc.mountd will work for you, from the manual:

-p  or  --port num
          Force rpc.mountd to bind to the specified port num, instead of using the random port number assigned by the portmapper.

In Debian you do that in /etc/default/nfs-kernel-server, add options to this line:

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS=--manage-gids
aseq
  • 4,610
  • 1
  • 24
  • 48
  • thanks for your answer! secure port, meaning a port < 1024. i.e., the ports nfs doesn't reject by default. also, while this is an option, it doesn't prevent the poor behavior to begin with, assuming it's possible to do so. – Christopher Neylan May 02 '12 at 21:19
  • 1
    I see, i was suspecting you meant <1024. I think that the behaviour you try to prevent is just basic functionality. However see my updated answer. – aseq May 02 '12 at 21:24