Let’s say you run a FreeBSD server somewhere on your network and you’ve configured it to export a directory via NFS. Everything works as it should when you connect with clients running OSes on native hardware, but as soon as you try to mount the same share on the same hardware with an OS inside a virtual machine, you’re unable to do so.

So what’s going on here? Well, as it turns out, the default behavior for NFS on FreeBSD is to only accept client connections on ports below 1024. This is because services started on port numbers less than 1024 must be started as root or an equivalent system administrator account, and thus are usually safe to trust.

The problem is, most virtual machines typically don’t have access to ports below 1024 because they aren’t started with root or administrator privileges in the host OS (that would defeat all the added security one gains from sandboxing). In fact, some VM packages (VirtualBox comes to mind) won’t even run if it’s started by root unless it’s explicitly forced to. Thus, under most circumstances, the only port numbers guest OSes have access to begin at 1025 and increase from there.

There are two ways around this problem: run each instance of VirtualBox or VMWare with root capabilities (very insecure), or tell your server to just accept incoming connections on ports less than 1024 (a little bit insecure). To do this, simply fire up your favorite text editor, and add the “insecure” flag (denoted by an -n) to the mountd_flags argument list in /etc/rc.conf.

Here’s an example of /etc/rc.conf:


Save your changes and restart rpcbind, nfsd, and mountd as root:

# /etc/rc.d/rpcbind onerestart ; /etc/rc.d/nfsd onerestart ; /etc/rc.d/mountd onerestart

Now you’re good to go!

Remember: NFS was never a security-minded protocol. It was built for speed, with others layering security on top of it. If one wanted a greater degree of security aside from the IP address whitelisting necessary in /etc/exports (which really isn’t that secure at all), they are many options to choose from including Kerberos authentication or tunneling everything through SSH. Check Google or Chapter 14 of the FreeBSD handbook for some good starting points.










Tags: , ,

Comments are closed.