NFS export config question

[Phishfry]

I am setting up NFSv3 server and I would like to have my servers /shared directory exported globally.

I want to have it available across several subnets and I wonder if I could streamline it better:
/etc/export

/shared -alldirs 192.168.1.0/24 192.168.50.0/24 192.168.100.0/24 192.168.111.0/24

How could I share to the entire third octet without adding all 255 addresses?
192.168.***.***

I was thinking 192.168.0.0/24 but I think that only references the 192.168.0.1 subnet.

I like to create separate projects on subnets and want to have NFS access on temporary subnets I might create.

 

[usdmatt]

192.168.0.0/16 would cover everything from 192.168.0.0 to 192.168.255.255

 

[Phishfry]

That worked perfectly.

/etc/export

/shares -maproot=root -network 192.168.0.0/16

/etc/rc.conf on NFS Server

rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-n"
weak_mountd_authentication="YES"

That last line took me a while to find.
Was getting this message on the client end.

root@DELL:~ # mount 192.168.1.248:/shares /shared
[tcp] 192.168.1.248:/shares: RPCPROG_MNT: RPC: Authentication error; why = Client credential too weak

Client /etc/rc.conf

nfs_client_enable="YES"
#nfs_client_flags="-n 4"
#rpc_lockd_enable="YES"
#rpc_statd_enable="YES"

I had experimented with all the commented out lines.

 

[Phishfry]

I was worried about adding this line to /etc/rc.conf as I have not seen it used much.
weak_mountd_authentication="YES"
So I looked on the server log and determined that it is an RPC_PORTMAP problem. So reading on that I found a suggested fix by adding to /etc/host.allow this line:
portmap : 192.168.0.0/255.255.255.0 : allow
While I was there I added this too:
rpcbind : 192.168.0.0/255.255.255.0 : allow
/etc/host.allow

# Rpcbind is used for all RPC services; protect your NFS!
# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
portmap : 192.168.0.0/255.255.255.0  : allow
rpcbind : 192.168.0.0/255.255.255.0  : allow

My question is: Is this an OK fix? I was able to remove the "allow weak authentication line from /etc/rc.conf.
What does "protect your NFS" comment mean here?

 

[SirDice]

If portmapper/rpcbind are limited to 192.168.0.0/24 your NFS clients will be limited to that range too. NFS requires RPC access.

 

[Phishfry]

I see what you mean. You would think I need /16 but it works now. I did not get a chance to dig into RPC authentication.
I know I don't like the sound of weak mountd authentication.

So I should use this netmask than?
192.168.0.0/255.255.0.0