看过了NFS-Howto后对NFS server的一些修改，觉得还是有必要的

首先，为了安全，尽量使用tcpd程序控制对服务的访问控制：

[root@storage ~]# cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ''/usr/sbin/tcpd'' server.
#

# Programs for NFS
portmap:        192.168.0.1, 192.168.0.2
statd:          192.168.0.1, 192.168.0.2
mountd:         192.168.0.1, 192.168.0.2
[root@storage ~]# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the ''/usr/sbin/tcpd'' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!

portmap:        ALL
statd:          ALL
mountd:         ALL
[root@storage ~]#

NFS export出去的时候控制权限：
[root@storage ~]# cat /etc/exports
#        # sample /etc/exports file
#        /               master(rw) trusty(rw,no_root_squash)
#        /projects       proj*.local.domain(rw)
#        /usr            *.local.domain(ro) @trusted(rw)
#        /home/joe       pc001(rw,all_squash,anonuid=150,anongid=100)
#        /pub            (ro,insecure,all_squash)
#
/ftp      192.168.0.1(rw,no_root_squash,sync) 192.168.0.2(ro,no_root_squash)
[root@storage ~]#

由于有部分操作需要root执行，所以打开了no_root_squash，为使数据安全使用sync

指定各个程序使用的端口：
[root@storage ~]# cat /etc/sysconfig/nfs
# For start NFS
# next for rpc.statd daemon
#        [ -n "$STATD_PORT" ] && STATDARG="$STATDARG -p $STATD_PORT"
#        [ -n "$STATD_OUTGOING_PORT" ]
#                && STATDARG="$STATDARG -o $STATD_OUTGOING_PORT"
# rpc.mountd
#        [ -n "$MOUNTD_PORT" ]
#        && RPCMOUNTDOPTS="$RPCMOUNTDOPTS -p $MOUNTD_PORT"
# lockd
#        if [ -n "$LOCKD_TCPPORT" ]; then
#            /sbin/sysctl -w fs.nfs.nlm_tcpport=$LOCKD_TCPPORT >/dev/null 2>&1
#        fi
#        if [ -n "$LOCKD_UDPPORT" ]; then
#            /sbin/sysctl -w fs.nfs.nlm_udpport=$LOCKD_UDPPORT >/dev/null 2>&1
#        fi
# rpc.rquotad
#        [ -n "$RQUOTAD_PORT" ]
#               && RPCRQUOTADOPTS="$RPCRQUOTADOPTS -p $RQUOTAD_PORT"


STATD_PORT=32765
STATD_OUTGOING_PORT=32766
MOUNTD_PORT=32767
LOCKD_TCPPORT=32768
LOCKD_UDPPORT=32768
RQUOTAD_PORT=32769

RPCNFSDCOUNT=16
[root@storage ~]#

指定端口后，就可以写防火墙规则了：
[root@storage ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.11 on Wed Jul  6 11:04:09 2005
# eth0 Inner eth1 Outer
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:NETMANAGE - [0:0]
:DENY-SERVICE - [0:0]
:NFS-SERVICE - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j NETMANAGE
-A INPUT -j DENY-SERVICE
-A INPUT -f -j NFS-SERVICE
-A INPUT -p tcp -m tcp --dport 32765:32769 -j NFS-SERVICE
-A INPUT -p udp -m udp --dport 32765:32769 -j NFS-SERVICE
-A INPUT -p tcp -m tcp --dport 2049 -j NFS-SERVICE
-A INPUT -p udp -m udp --dport 2049 -j NFS-SERVICE
-A INPUT -p tcp -m tcp --dport 111  -j NFS-SERVICE
-A INPUT -p udp -m udp --dport 111  -j NFS-SERVICE
-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT

# NETMANAGE
# SSH
-A NETMANAGE -p tcp -m tcp  -s 192.168.0.10 --dport 22 -j ACCEPT

# DENY-SERVICE

# NFS-SERVICE
-A NFS-SERVICE -s 192.168.0.1 -j ACCEPT
-A NFS-SERVICE -s 192.168.0.2 -j ACCEPT
-A NFS-SERVICE -f -j RETURN
-A NFS-SERVICE -j DROP

COMMIT
# Completed on Wed Jul  6 11:04:09 2005
[root@storage ~]#

这样应该安全许多了