How-to : Get a nfs server working with a firewall

Introduction

Please note that this guide is  for NFSv2 and v3 only.

A nfs server uses some daemon/services, which are, of course, client/server based services, this means that network ports are allocated to those daemons. nfs is based on Portmapper and RPC (allocating dynamic network ports), the later is the reason why firewall keep blocking nfs client while trying to mount an exported filesystem (even if you opened the nfs port on server side firewall).

Note : Please check the “about nfs” page for detailled information on nfs.

 

1 So, what do we need to make it works?

We first need to change the behaviour that leads the RPC’s to use randoms ports :
This will be achieved by editing the lines N°20,22,42 and 48 from the /etc/sysconfig/nfs file (for RedHat distros). Those lines respectively refers to LOCKD_[TCP-UDP], MOUNTD and STATD ports.

Then, depending on your needs (regarding quotas), you may need to uncomment the line n°12.
Feel free to use ports number for you convenience, just try to avoid using reserved ports numbers! (AKA “well known ports” full list here)

 

  • Default /etc/sysconfig/nfs
     #
     # Define which protocol versions mountd
     # will advertise. The values are "no" or "yes"
     # with yes being the default
     #MOUNTD_NFS_V2="no"
     #MOUNTD_NFS_V3="no"
     #
     #
     # Path to remote quota server. See rquotad(8)
     #RQUOTAD="/usr/sbin/rpc.rquotad"
     # Port rquotad should listen on.
     #RQUOTAD_PORT=32996
     # Optinal options passed to rquotad
     #RPCRQUOTADOPTS=""
     #
     #
     # Optional arguments passed to in-kernel lockd
     #LOCKDARG=
     # TCP port rpc.lockd should listen on.
     #LOCKD_TCPPORT=5364
     # UDP port rpc.lockd should listen on.
     #LOCKD_UDPPORT=1325
     #
     #
     # Optional arguments passed to rpc.nfsd. See rpc.nfsd(8)
     # Turn off v2 and v3 protocol support
     #RPCNFSDARGS="-N 2 -N 3"
     # Turn off v4 protocol support
     #RPCNFSDARGS="-N 4"
     # Number of nfs server processes to be started.
     # The default is 8.
     #RPCNFSDCOUNT=8
     # Stop the nfsd module from being pre-loaded
     #NFSD_MODULE="noload"
     # Set V4 grace period in seconds
     #NFSD_V4_GRACE=90
     #
     #
     #
     # Optional arguments passed to rpc.mountd. See rpc.mountd(8)#RPCMOUNTDOPTS=""
     # Port rpc.mountd should listen on.
     #MOUNTD_PORT=6734
     #
     #
     # Optional arguments passed to rpc.statd. See rpc.statd(8)
     #STATDARG=""
     # Port rpc.statd should listen on.
     #STATD_PORT=3222
     # Outgoing port statd should used. The default is port
     # is random
     #STATD_OUTGOING_PORT=2020
     # Specify callout program
     #STATD_HA_CALLOUT="/usr/local/bin/foo"
     #
     #
     # Optional arguments passed to rpc.idmapd. See rpc.idmapd(8)
     #RPCIDMAPDARGS=""
     #
     # Set to turn on Secure NFS mounts.
     #SECURE_NFS="yes"
     # Optional arguments passed to rpc.gssd. See rpc.gssd(8)
     #RPCGSSDARGS=""
     # Optional arguments passed to rpc.svcgssd. See rpc.svcgssd(8)
     #RPCSVCGSSDARGS=""
     #
     # To enable RDMA support on the server by setting this to
     # the port the server should listen on
     #RDMA_PORT=20049

 

  • Modified /etc/sysconfig/nfs
     [...]
     # Optional arguments passed to in-kernel lockd
     #LOCKDARG=
     # TCP port rpc.lockd should listen on.
     LOCKD_TCPPORT=5364
     # UDP port rpc.lockd should listen on.
     LOCKD_UDPPORT=1325
    
     [...]
     # Port rpc.mountd should listen on.
     MOUNTD_PORT=6734
    
     [...]
     # Port rpc.statd should listen on.
     STATD_PORT=3245
  • We then need to allow (with firewall rules) those previously activated port as well as the Portmapper port (111) and the nfs port (2049/tcp). Most ports except the nfs (2049), the LOCKD_UDPPORT (udp only) and the LOCKD_TCPPORT (tcp only) needs to be allowed for both transport protocols TCP/UDP.

 

Just restart nfs and nfslock when your new firewall rules has been loaded and you should be done!

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site supports SyntaxHighlighter via WP SyntaxHighlighter. It can highlight your code.
How to highlight your code: Paste your code in the comment form, select it and then click the language link button below. This will wrap your code in a <pre> tag and format it when submitted.