mount using insecure ports for nfs
Title says it. mount is occasionally making NFS mount/unmount requests from insecure ports. I believe the issue is being caused by all of the secure ports being stuck in TIME_WAIT after periods of very high mounting activity (amd). Is there any way to change this behavior? I don't want requests being sent from insecure ports, whether there are available secure ports or not. I'd rather the mount hang while it waits for a secure port. Allowing requests from insecure ports on the NFS servers is not an option.
I didn't see anything in the man pages for mount, nfs, or mount.nfs for controlling this. To alleviate the issue, I tried net.ipv4.tcp_tw_reuse=1, but it didn't seem to help.
Thanks in advance.
Why not use iptables to block these port (ranges) you don't want to be used. Make sure to make it a reject rule and not drop it, in the latter case it may take longer because the connection attempt is timing out.
A typical rule could look like this:
/sbin/iptables -I OUTPUT -d 0/0 -j REJECT --reject-with icmp-net-prohibited -p tcp --dport XX -o ethX
/sbin/iptables -I OUTPUT -d 0/0 -j REJECT --reject-with icmp-net-prohibited -p udp --dport XX -o ethX
For port range use:
--dport XX:YY
For incoming:
/sbin/iptables -I INPUT -s 0/0 -j REJECT --reject-with icmp-net-prohibited -p tcp --dport XX -i ethX
/sbin/iptables -I INPUT -s 0/0 -j REJECT --reject-with icmp-net-prohibited -p udp --dport XX -i ethX
Update: maybe adding the right options to rpc.mountd will work for you, from the manual:
-p or --port num
Force rpc.mountd to bind to the specified port num, instead of using the random port number assigned by the portmapper.
In Debian you do that in /etc/default/nfs-kernel-server, add options to this line:
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS=--manage-gids