The Network File System, NFS

Sharing files under Linux can be done in many ways. A few of the main ones are through the File Transfer Protocol or FTP, through Telnet and SSH. These are all fine, but what if you want a more transparent file sharing process, such as the Peer-to-Peer sharing under Windows(tm)? The Network File System or NFS, gives you all that. I'll discuss some of the security implications, configuration of a server and client in "newbie terms".

Before we begin, I want to point out the basic requirements, for both software and hardware. For software you need:

  • the nfs-utils packages -
    If it's not installed yet, you can get it from the NFS home page located at http://nfs.sourceforge.net.
  • kernel (2.2.18 and up) - if you plan on using NFS v3. In this howto I'm using kernel 2.4.2. .

For hardware you need to have basic networking established; you should be able to ping other computers on your network and have accounts on them for access later on.

How does it work?

NFS works by having mounted drives on remote systems which appear to be mounted on a local system. For this to work you need a server running the NFS daemon and one or more NFS clients. I will discuss configuring these right after some security updates. NFS is by no means secure, and as a matter of fact can be pretty harmful by lame intruders, script kiddies and other scum. I will only discuss basic security, which should not be the primary means or source of information to safeguard yourself.

Let's take a look at the /etc/hosts.deny file. Some of the basic services used by NFS are portmap, lockd, mountd, rpquotad, statd, so let's block ALL traffic from the outside world out by adding these lines:

portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL

Since we don't want to block everyone else but the ones we select, we'll edit the /etc/hosts.allow file. We'll add the ip's for our local network:

lockd:192.168.1.0/255.255.255.0
rquotad:192.168.1.0/255.255.255.0
mountd:192.168.1.0/255.255.255.0
statd:192.168.1.0/255.255.255.0

In the example above I'm allowing everyone within my network (192.168.1.0/255.255.255.0) to use the same services we blocked out in the /etc/hosts.deny file.
Please remember that this is just basic security. On our network, I have all traffic to these ports blocked out from the outside as well, on top of the internal network's router, so that's double the security. If you don't have any other means to secure your network see the NFS-HOWTO security page mentioned above for more.

Configuring the NFS server

Setting up the NFS server is a fairly easy process. We'll proceed to edit the /etc/exports file. This file contains a list of entries; each entry indicates a volume that is shared and how it is shared. This is what my /etc/exports file looks like:

/mnt/scsi/mp3 192.168.1.0/255.255.255.0(rw)

Let's take a look at these in more detail. The first entry, /mnt/scsi/mp3 is the folder on the server I want to share with other systems on the network. The second entry, 192.168.1.0/255.255.255.0 is the entry for everyone on my local network. The last entry (rw) decides the Read/Write permissions. I currently have these set to Read and Write. Everyone can add, or delete files to the mount point on their client system, thus making modifications on the server. Be careful with this option if you have data that may not be written to. If you want to give others write only access, use (ro).

In the example above, if I wanted to allow (rw) access only to 2 ip's (192.168.1.2 and 192.168.1.3), I would modify the /etc/exports file like so:

/mnt/scsi/mp3 192.168.1.2(rw) 192.168.1.3(rw)

This should be it for configuring the server.

Getting the services started

Once you're assured that basic networking is established (by either succesfully pinging, ftp-ing to other systems on the network) we can restart the NFS services. The easiest way would be to reboot. If you are not in the position to reboot, you can verify that the services are running. NFS depends on the portmapper daemon, called portmap or rpc.portmap. To start this run

/sbin/portmap.

Most recent Linux distributions start this daemon in the boot scripts and to verify that it's running type:

ps -ef|grep portmap

NFS serving is done by five daemons:

  • rpc.nfsd, which does most of the work;
  • rpc.lockd and
  • rpc.statd, which handle file locking;
  • rpc.mountd, which handles the initial mount requests, and
  • rpc.rquotad, which handles user file quotas on exported volumes.

Starting with kernel version 2.2.18, lockd is called by nfsd upon demand, so you do not need to worry about starting it yourself.

Now let's verify that NFS is running with the following command:

rpcinfo -p
If you have all these running your server should be configured.