2.2.4. Securing NFS
The version of NFS included in Red Hat Enterprise Linux 6, NFSv4, no longer requires the
portmapservice as outlined in Section 2.2.2, “Securing Portmap”. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the
RPCSEC_GSSkernel module. Information on
portmapis still included, since Red Hat Enterprise Linux 6 supports NFSv2 and NFSv3, both of which utilize
220.127.116.11. Carefully Plan the Network
NFSv2 and NFSv3 traditionally passed data insecurely. All versions of NFS now have the ability to authenticate (and optionally encrypt) ordinary file system operations using Kerberos. Under NFSv4 all operations can use Kerberos; under v2 or v3, file locking and mounting still do not use it. When using NFSv4.0, delegations may be turned off if the clients are behind NAT or a firewall. Refer to the section on pNFS in the Storage Administration Guide for information on the use of NFSv4.1 to allow delegations to operate through NAT and firewalls.