system-config-securitylevel – Love or hatred?

system-config-securitylevel provides the user an easy interface to edit firewall rules. If you only need to open up certain tcp and udp ports, this tool may prove handy. For more complex routing rules, you are tempted to edit /etc/sysconfig/iptables directly.

If you have used system-config-securitylevel before, check out the iptables file and you will see this in the header:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

You were warned!! The problem with this is that the next time you run system-config-securitylevel (even if accidental), all your custom rules will be overwritten… sucks. So remember to backup /etc/sysconfig/iptables or use some sort of version control everytime you decide to edit the file directly.

nfs and firewall issues

nfs can be setup easily using the GUI, ie

yum install system-config-nfs

The problem with nfs is that it uses certain random ports. If you have firewall enabled, you have problems. The trick is to fix the ports that nfs uses and simply enable those ports in the firewall. After checking up /etc/services, I chose a few ports that haven’t been used.

vim /etc/sysconfig/nfs

Comment off everything and and add these lines to it.

LOCKD_TCPPORT=30100
LOCKD_UDPPORT=30101
MOUNTD_PORT=30102
STATD_PORT=30103

then in the firewall

vim /etc/sysconfig/iptables

open the ports

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 30100 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 30101 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 30102:30103 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 30102:30103 -j ACCEPT

restart iptables and nfs and that should work.

* if you are configuring your firewall via the GUI, everytime you change the settings, it will wipe out your current settings. Remember to backup before doing it!!!

* Can check the nfs sharing status by using “showmount -e server”. If you cant get this command to work, something is wrong!