# NFS export config question



## Phishfry (Apr 21, 2017)

I am setting up NFSv3 server and I would like to have my servers /shared directory exported globally.

I want to have it available across several subnets and I wonder if I could streamline it better:
/etc/export

```
/shared -alldirs 192.168.1.0/24 192.168.50.0/24 192.168.100.0/24 192.168.111.0/24
```

How could I share to the entire third octet without adding all 255 addresses?
192.168.***.***

I was thinking 192.168.0.0/24 but I think that only references the 192.168.0.1 subnet.

I like to create separate projects on subnets and want to have NFS access on temporary subnets I might create.


----------



## usdmatt (Apr 22, 2017)

192.168.0.0/16 would cover everything from 192.168.0.0 to 192.168.255.255


----------



## Phishfry (Apr 22, 2017)

That worked perfectly.

/etc/export

```
/shares -maproot=root -network 192.168.0.0/16
```

/etc/rc.conf on NFS Server

```
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-n"
weak_mountd_authentication="YES"
```
That last line took me a while to find.
Was getting this message on the client end.

```
root@DELL:~ # mount 192.168.1.248:/shares /shared
[tcp] 192.168.1.248:/shares: RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak
```

Client /etc/rc.conf

```
nfs_client_enable="YES"
#nfs_client_flags="-n 4"
#rpc_lockd_enable="YES"
#rpc_statd_enable="YES"
```
I had experimented with all the commented out lines.


----------



## Phishfry (Apr 25, 2017)

I was worried about adding this line to /etc/rc.conf as I have not seen it used much.
`weak_mountd_authentication="YES"`
So I looked on the server log and determined that it is an RPC_PORTMAP problem. So reading on that I found a suggested fix by adding to /etc/host.allow this line: 
portmap : 192.168.0.0/255.255.255.0  : allow
While I was there I added this too:
rpcbind : 192.168.0.0/255.255.255.0  : allow
/etc/host.allow

```
# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
portmap : 192.168.0.0/255.255.255.0  : allow
rpcbind : 192.168.0.0/255.255.255.0  : allow
```

My question is: Is this an OK fix? I was able to remove the "allow weak authentication line from /etc/rc.conf.
What does "protect your NFS" comment mean here?


----------



## SirDice (Apr 25, 2017)

If portmapper/rpcbind are limited to 192.168.0.0/24 your NFS clients will be limited to that range too. NFS requires RPC access.


----------



## Phishfry (Apr 25, 2017)

I see what you mean. You would think I need /16 but it works now. I did not get a chance to dig into RPC authentication.
I know I don't like the sound of weak mountd authentication.

So I should use this netmask than?
192.168.0.0/255.255.0.0


----------

