|
|
发表于 2006-10-13 23:59:28
|
显示全部楼层
gaoyunhai 希望能帮上你
下面是RedHat Reference Guide 中的关于NFS版本的简单介绍, 可能和你遇到的问题有关
Network File System (NFS)
....
How It Works
Currently, there are three versions of NFS. NFS version 2 (NFSv2) is older and is widely supported.
NFS version 3 (NFSv3) has more features, including variable size file handling and better error reporting,
but is not fully compatible with NFSv2 clients. NFS version 4 (NFSv4) includes Kerberos security,
works through firewalls and on the Internet, no longer requires portmapper, supports ACLs, and
utilizes stateful operations. Red Hat Enterprise Linux supports NFSv2, NFSv3, and NFSv4 clients,
and when mounting a file system via NFS, Red Hat Enterprise Linux uses NFSv4 by default, if the
server supports it.
...
When using NFSv2 or NFSv3 with UDP, the stateless UDP connection under normal conditions minimizes
network traffic, as the NFS server sends the client a cookie after the client is authorized to
access the shared volume. This cookie is a random value stored on the server's side and is passed
along with RPC requests from the client. The NFS server can be restarted without affecting the clients
and the cookie remains intact. However, because UDP is stateless, if the server goes down unexpectedly,
UDP clients continue to saturate the network with requests for the server. For this reason, TCP
is the preferred protocol when connecting to an NFS server.
When using NFSv4, a stateful connection is made, and Kerberos user and group authentication
with various security levels is optionally available. NFSv4 has no interaction with portmapper,
rpc.mountd, rpc.lockd, and rpc.statd, since they have been rolled into the kernel. NFSv4
listens on the well known TCP port 2049.
我不知道你的nfs是哪个版本, 不过按照文档上说的, 如果是一个较老kernel的话可能不支持nfsv4 那么你用tcp_wrapper限制portmap当然起作用,因为NFSv[23]是靠rpc的。但是如果你的kernel(或机器,不知道对nfs的支持是不是和具体的kernel版本有关?)支持NFSv4,那么他被默认的采用,当然不受portmap的限制,从而绕过了tcp_wrapper。
不知道我分析的对不对,希望大虾指正
ps:楼上的问题,tcp_wrapper是在host层面上控制tcp包的。他在紧随iptable之后,包括xinietd在内的几乎所有网络服务,只要使用tcp封包,并且在编译时连了libwrap.a就会受到管理。 不知道对不~ |
|
IP卡
狗仔卡
显身卡