- Joined
- Mar 9, 2010
- Messages
- 209
- Motherboard
- Gigabyte GA-P55A-UD3P F10
- CPU
- i5-750
- Graphics
- GT9400
- Mac
- Classic Mac
This is a description of how I created an NFS and anonymous FTP server. I'm sure there are plenty of things I could have done better, and I'm interested in your feed back. If you find any typos please let me know.
I decided to try setting up my P55M-UD2 system as an NFS and anonymous FTP server. The objective is to provide these services to the other computers on my home network. Currently this function is being performed by a very old Linux system. I want to see if I can replace my Linux systems with OS X based systems.
This server is a mostly headless system. By that I mean it is connected to a keyboard, video monitor and mouse via a KVM switch for system administration but typically no one is logged into this system. The fact that the services need to be available with no one logged into the server was the source of my first problem. The server contains three disk drives. By default when OS X starts up it mounts the boot disk only, any remaining disks do not get mounted until a user logs in. Logging in via ssh does not cause the remaining disks to get mounted. There is an attribute that can be set to cause all disks to be mounted during startup. This is done by entering the following command:
sudo defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool true
If the appropriate plist does not exist this command will create it. This will take effect the next time you restart the computer.
NFS
===
In addition to having the application firewall enabled, the ipfw firewall is enabled by default and I used WaterRoof to establish additional firewall rules to protect the server. In order to provide as much protection as possible I had to setup NFS so that it used fixed ports that I could specify in the firewall rules. Using sudo create the file named /etc/nfs.conf and add the following lines to it:
# The purpose is to allow firewall ports to be open
nfs.lockd.port = 4001
nfs.statd.port = 4000
nfs.server.mount.port = 4002
nfs.server.rquota.port = 4003
You can choose whatever unused port numbers above 1023 you wish.
As I used WaterRoof I needed to edit /etc/firewallrules to allow input using tcp and udp via these ports. As well you must allow input using udp via port 111 for portmapper and udp and tcp via port 2049 for nfs. These rules are of the form:
add 6500 allow udp from 192.168.0.0/24 to any dst-port 111 in via en0
add 6700 allow tcp from 192.168.0.0/24 to any dst-port 4000-4003 in via en0
add 6710 allow udp from 192.168.0.0/24 to any dst-port 4000-4003 in via en0
add 6720 allow tcp from 192.168.0.0/24 to any dst-port 2049 in via en0
add 6730 allow udp from 192.168.0.0/24 to any dst-port 2049 in via en0
I am assuming a LAN using the class C ip address 192.168.0.0, change this to your LAN address.
These rules can be made active by restoring them from the default startup configuration in the System menu of WaterRoof.
NFS will not start unless there are entries in the file named /etc/exports. Create this file using sudo and add an entry. For example:
/Volumes/DataDisk/data -network 192.168.0.0 -mask 255.255.255.0
You may want to add other settings such as -maproot, see the exports man page for more information.
Restart nfs and confirm the port numbers in use using the commands:
sudo nfsd restart
rpcinfo -p
Another useful command is showmount -e to see which directories have been exported. No changes need to be made via system preferences to support nfs.
FTP
===
I decided to use vsftp rather than the ftp support that comes OS X. This required installing MacPorts, which requires that X11 and Xcode be installed. I then installed vsftp using MacPorts following the instruction on their website. MacPorts installs files in the directory /opt/local.
Edit /opt/local/etc/vsftpd.conf to specify the desired options. By default vsftpd will run standalone, as specified by listen=YES in the configuration file. Change the ftpd_banner setting as desired. I decided to support passive mode and added the following lines to the configuration file:
pasv_promiscuous=yes
pasv_min_port=62000
pasv_max_port=64000
Ports 20 and 21 are normally used to establish an ftp connection. This requires changes to the firewall rules:
add 4007 allow tcp from 192.168.0.0/24 to any 20-21 setup keep-state in via en0
add 4008 allow tcp from 192.168.0.0/24 to any dst-port 62000-64000 setup in via en0 keep-state
As I was creating an anonymous ftp server for downloading files from the server I needed to create the user ftp and assign a home directory to it.
sudo -s
dscl . -create /Users/ftp
dscl . -create /Users/ftp NFSHomeDirectory /private/var/ftp
I made /private/var/ftp a link to the actual directory to be used by ftp.
If at a later time you wish to delete the user ftp enter:
sudo dscl . -delete /Users/ftp
To run vsftpd immediately and at each successive startup enter:
sudo port load vsftpd
If you wish to stop vsftpd immediately and prevent it from running at each successive startup enter:
sudo port unload vsftpd
vsftpd can also be controlled via launchctl
The first time someone tries to connect via ftp, the application firewall on the server will ask if ftp connections should be allowed or denied, unless access has been explicitly allowed using System Preferences->Security->FireWall->Advanced, so it's a good idea to be logged onto the server during initial testing.
I decided to try setting up my P55M-UD2 system as an NFS and anonymous FTP server. The objective is to provide these services to the other computers on my home network. Currently this function is being performed by a very old Linux system. I want to see if I can replace my Linux systems with OS X based systems.
This server is a mostly headless system. By that I mean it is connected to a keyboard, video monitor and mouse via a KVM switch for system administration but typically no one is logged into this system. The fact that the services need to be available with no one logged into the server was the source of my first problem. The server contains three disk drives. By default when OS X starts up it mounts the boot disk only, any remaining disks do not get mounted until a user logs in. Logging in via ssh does not cause the remaining disks to get mounted. There is an attribute that can be set to cause all disks to be mounted during startup. This is done by entering the following command:
sudo defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool true
If the appropriate plist does not exist this command will create it. This will take effect the next time you restart the computer.
NFS
===
In addition to having the application firewall enabled, the ipfw firewall is enabled by default and I used WaterRoof to establish additional firewall rules to protect the server. In order to provide as much protection as possible I had to setup NFS so that it used fixed ports that I could specify in the firewall rules. Using sudo create the file named /etc/nfs.conf and add the following lines to it:
# The purpose is to allow firewall ports to be open
nfs.lockd.port = 4001
nfs.statd.port = 4000
nfs.server.mount.port = 4002
nfs.server.rquota.port = 4003
You can choose whatever unused port numbers above 1023 you wish.
As I used WaterRoof I needed to edit /etc/firewallrules to allow input using tcp and udp via these ports. As well you must allow input using udp via port 111 for portmapper and udp and tcp via port 2049 for nfs. These rules are of the form:
add 6500 allow udp from 192.168.0.0/24 to any dst-port 111 in via en0
add 6700 allow tcp from 192.168.0.0/24 to any dst-port 4000-4003 in via en0
add 6710 allow udp from 192.168.0.0/24 to any dst-port 4000-4003 in via en0
add 6720 allow tcp from 192.168.0.0/24 to any dst-port 2049 in via en0
add 6730 allow udp from 192.168.0.0/24 to any dst-port 2049 in via en0
I am assuming a LAN using the class C ip address 192.168.0.0, change this to your LAN address.
These rules can be made active by restoring them from the default startup configuration in the System menu of WaterRoof.
NFS will not start unless there are entries in the file named /etc/exports. Create this file using sudo and add an entry. For example:
/Volumes/DataDisk/data -network 192.168.0.0 -mask 255.255.255.0
You may want to add other settings such as -maproot, see the exports man page for more information.
Restart nfs and confirm the port numbers in use using the commands:
sudo nfsd restart
rpcinfo -p
Another useful command is showmount -e to see which directories have been exported. No changes need to be made via system preferences to support nfs.
FTP
===
I decided to use vsftp rather than the ftp support that comes OS X. This required installing MacPorts, which requires that X11 and Xcode be installed. I then installed vsftp using MacPorts following the instruction on their website. MacPorts installs files in the directory /opt/local.
Edit /opt/local/etc/vsftpd.conf to specify the desired options. By default vsftpd will run standalone, as specified by listen=YES in the configuration file. Change the ftpd_banner setting as desired. I decided to support passive mode and added the following lines to the configuration file:
pasv_promiscuous=yes
pasv_min_port=62000
pasv_max_port=64000
Ports 20 and 21 are normally used to establish an ftp connection. This requires changes to the firewall rules:
add 4007 allow tcp from 192.168.0.0/24 to any 20-21 setup keep-state in via en0
add 4008 allow tcp from 192.168.0.0/24 to any dst-port 62000-64000 setup in via en0 keep-state
As I was creating an anonymous ftp server for downloading files from the server I needed to create the user ftp and assign a home directory to it.
sudo -s
dscl . -create /Users/ftp
dscl . -create /Users/ftp NFSHomeDirectory /private/var/ftp
I made /private/var/ftp a link to the actual directory to be used by ftp.
If at a later time you wish to delete the user ftp enter:
sudo dscl . -delete /Users/ftp
To run vsftpd immediately and at each successive startup enter:
sudo port load vsftpd
If you wish to stop vsftpd immediately and prevent it from running at each successive startup enter:
sudo port unload vsftpd
vsftpd can also be controlled via launchctl
The first time someone tries to connect via ftp, the application firewall on the server will ask if ftp connections should be allowed or denied, unless access has been explicitly allowed using System Preferences->Security->FireWall->Advanced, so it's a good idea to be logged onto the server during initial testing.
