Linux NFS Behind Firewall

Linux / October 24, 2019 / By:

NFS service needs  rpcbind, which  dynamically assigns  ports for RPC services. Remote Procedure Call (RPC) is a protocol which one process can used to communicate other server without having to understand  network details. So, running  NFS behind  firewall is completely related  to RPC services firewall rules.To allow a client to acces  NFS shares behind a firewall, check  /etc/sysconfig/nfs configuration file to control which  ports  the required RPC services run on.

By default  /etc/sysconfig/nfs may not exist on system.If  it doesn’t exist create  it and add following lines.Also you can replace them with unused  ports as you wish.

MOUNTD_PORT=port
#Controls which TCP and UDP port mountd (rpc.mountd) uses.
STATD_PORT=port
#Controls which TCP and UDP port status (rpc.statd) uses.
#LOCKD_TCPPORT=port
#Controls which TCP port nlockmgr (lockd) uses.
LOCKD_UDPPORT=port
#Controls which UDP port nlockmgr (lockd) uses.

After you define these  ports  restart  nfs  service and  check /var/log/messages.If NFS service doesn’t start normally, it means that  the  port  you have defined used  by  another  service or process.

#service nfs restart

Run “rpcinfo” command  to confirm  changes.

#rpcinfo  -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 662 status
100024 1 tcp 662 status
100021 1 udp 53748 nlockmgr
100021 3 udp 53748 nlockmgr
100021 4 udp 53748 nlockmgr
100021 1 tcp 14637 nlockmgr
100021 3 tcp 14637 nlockmgr
100021 4 tcp 14637 nlockmgr
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 818 rquotad
100011 2 tcp 818 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
#service nfs status

Configure a firewall to allow NFS;

  1. Allow TCP and UDP port 2049 for NFS.
  2. Allow TCP and UDP port 111 (rpcbind/sunrpc).
  3. Allow the TCP and UDP port specified with MOUNTD_PORT=”port“
  4. Allow the TCP and UDP port specified with STATD_PORT=”port“
  5. Allow the TCP port specified with LOCKD_TCPPORT=”port“
  6. Allow the UDP port specified with LOCKD_UDPPORT=”port“

Default  Ports  For  Firewall Acces;

2049
111
801
804
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662

How to Check  NFS Server Shares?

#showmount  -e  NFSserverIP

 

Tagged In:

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

205 Total Posts
Follow Me