Nfs fixed ports

From Phormix Wiki
Jump to: navigation, search

Port-restricted NFS

Use case

Two common use cases for restricting NFS to fixed ports include:

  • When you wish to tunnel the NFS connection through some other medium
  • When you wish to have more specific firewall rules for NFS connections

 

Caveats

This configuration deals with a plain NFS server, without additional configuration for things like kerberos authentication. Use of additional services with NFS may further ports/configuration not found here

The notes provided are for Debian/Ubuntu based systems. The location of configuration entries on a RedHat or other base system may be different

 

 

Server-Side Configuration

Services and Ports
Service Incoming Port Outgoing Port Configuration File
Statd (rpc.statd) 32765 tcp 32766 tcp /etc/default/nfs-common
Mountd 32767/tcp   /etc/default/nfs-kernel-server
QuotaD 32769   /etc/default/quota
Lockd (kernel) 32768 tcp/udp   /etc/modprobe.d/nfs-lockd.conf
Nfsd 32764/tcp   /etc/modprobe.d/nfs-lockd.conf

StatD config

For this example we're using TCP ports 32765 (incoming) and 32766 (outgoing)
The StatD ports are are set via the following line in /etc/default/nfs-common:

STATDOPTS="--port 32765 --outgoing-port 32766"


MountD Config

For this example we're using TCP port 32767/tcp
The mountd ports are set via the following line in /etc/default/nfs-kernel-server

RPCMOUNTDOPTS="--manage-gids -p 32767"


LockD and NFSD Config

For this example we're using UDP+TCP port 32768 for lockd, and tcp port 32764 for NFSD
These ports are set via the following lines in /etc/modprobe/nfs-lockd.conf

For lockd

options lockd nlm_udpport=32768 nlm_tcpport=32768

For nfs

options nfs callback_tcpport=32764

 

Alternative: sysctl.conf entries

As an alternative to the modprobe entries, you could set the ports above via sysctl (i.e. /etc/sysctl.conf or /etc/sysctl.d/nfs.conf)

fs.nfs.nlm_tcpport = 32768
fs.nfs.nlm_udpport = 32768
fs.nfs.nfs_callback_tcpport = 32764

 

Restart Services

After making these changes, restart the NFS server

systemctl restart nfs-kernel-server

 

Firewall Configuration

With the ports given above, you could then allow the following incoming ports for NFS connections

Service Port
Portmapper 111 tcp/udp
NFSD 2049 tcp/udp
Various 32764-32769 tcp/udp

Client-Side Configuration

StatD config

For this example we're using TCP ports 32765 (incoming) and 32766 (outgoing)
The StatD ports are are set via the following line in /etc/default/nfs-common:

STATDOPTS="--port 32765 --outgoing-port 32766"

Restricting to NFSv4

NFSv4 allows you to be more restrictive on ports than previous versions (i.e. you don't need the portmapper).

If you wish to force disable the older versions of NFS this can be updating /etc/default/nfs-kernel-server with the following options

RPCMOUNTDOPTS="--no-nfs-version 2 --no-nfs-version 3 --nfs-version 4 --no-udp"
RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3 --nfs-version 4 --no-udp"

 

After doing so, you can disable rpcbind so that port 111 is not needed

systemctl disable --now rpcbind.service rpcbind.socket
systemctl mask rpcbind.service rpcbind.socket

 

This leaves you with only port 2049 (nfsd) needed. Nice!