Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

security group egress rule for EFS: what exactly are "all NFS ports"?

0

I'm setting up EFS mount targets for an service running on fargate, and trying to implement the aws guidance here on network security.

The guidance says that the security group into which I place my EFS mount targets should have an outbound rule that "open[s] the TCP connection on all of the NFS ports", with the security group hosting the containers launched by fargate as the destination.

I can't find the place in the aws documentation that says exactly what is meant here by "all of the NFS ports". There are references to port 2049 in a number of places. But the wording of the guidance above -- "all of the NFS ports" -- makes it sound as if there are ports in addition to 2049 that I should be allowing. I'm worried things won't work if I allow outbound tcp traffic ONLY on 2049.

So, what exactly do the docs mean by "all of the NFS ports"?????

Topics
ServerlessContainersNetworking & Content DeliveryStorage
Tags
AWS FargateAmazon Elastic File SystemSecurity Group
Language
English
asked a year ago897 views
1 Answer
2
Accepted Answer

Hi,

The generic quote that you report is probably due to this statement on https://docs.aws.amazon.com/efs/latest/ug/source-ports.html

To support a broad set of NFS clients, Amazon EFS allows connections from any source port. If you require 
that only privileged users can access Amazon EFS, we recommend using the following client firewall rule. 
Connect to your file system using SSH and run the following command:


iptables -I OUTPUT 1 -m owner --uid-owner 1-4294967294 -m tcp -p tcp --dport 2049 -j DROP

This command inserts a new rule at the start of the OUTPUT chain (-I OUTPUT 1). The rule prevents any 
unprivileged, nonkernel process (-m owner --uid-owner 1-4294967294) from opening a connection to 
the NFS port (-m tcp -p tcp –dport 2049).

Since EFS is built to support any port, the doc that you remains generic but the above advises you to limit yourself to 2049 when possible,

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • stu
    a year ago

    thanks Didier!

  • Didier Durand EXPERT
    a year ago

    Hi Stu, you're very welcome!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content