Secure Mode for NFSv3 Connections

Clusters that are newly installed with VAST Cluster 4.2-sp3 globally block NFSv3 clients from communicating over sockets that use unprivileged ports. Only privileged source ports (those with port numbers under 1024) are allowed. This is equivalent to the secure option which might be configurable per NFS export in other systems, but it is a global setting for all NFSv3 exports on the cluster.

Client processes require root privileges in order to create a socket with a privileged source port. Blocking access via unprivileged ports prevents the possibility of UID spoofing via unprivileged ports.

When upgrading a cluster to VAST Cluster 4.2-sp3 from VAST Cluster 4.2 or from a previous version that supports upgrade to 4.2-sp3, unprivileged ports are not blocked by default. This is intended to support any client applications that may already rely on the use of unprivileged ports. However, it is possible and recommended to block unprivileged ports if they are not needed. Likewise, it is possible to allow unprivileged ports if needed in VAST Cluster 4.2-sp3.

To block or allow unprivileged source ports, contact Support for assistance.