I'm running Ubuntu 11.10 - setting up NFS to share a directory among many other servers. Which ports are required to be opened on the firewall?
Asked
Active
Viewed 6.6e+01k times
8 Answers
138
$ rpcinfo -p | grep nfs
Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.
There are also ports for Cluster and client status (Port 1110 TCP for the former, and 1110 UDP for the latter) as well as a port for the NFS lock manager (Port 4045 TCP and UDP). Only you can determine which ports you need to allow depending on which services are needed cross-gateway.
-
5I did not know about rpcinfo, that is quite useful. I didn't see the port 111 with the `grep nfs`, but I left off the grep to learn that 111 is for `portmapper`. Also good to know! (and like you mentioned, necessary) – kenny Apr 05 '12 at 21:12
-
@KennyYounger rpcinfo is a useful too. If this answered your question, don't forget to mark it as the answer for the benefit of future viewers. – Wesley Apr 05 '12 at 21:17
-
7You need mountd open when you first mount the filesystem. It runs on a dynamic port, so it won't always be the same. I put a link to a guide in my answer. – bonsaiviking Apr 05 '12 at 21:23
-
1Thanks @bonsaiviking. Critical info for this process. I upvoted your answer! – kenny Apr 06 '12 at 00:25
-
Could you give a brief description of what those services ("cluster and client status", "NFS lock manager") do and when they might be needed? If those services are blocked by a firewall, will NFS servers and clients degrade gracefully, or just lock waiting for a response? – Nathan Craike Apr 09 '15 at 00:41
-
Nathan Craike: Not brief, but take a look at `man rpc.nfsd`, `man rpc.mountd`, `man rpc.statd`, `rpc.idmapd` and so on. There is a detailed article on tldp.org: http://tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS – basic6 May 24 '15 at 16:18
-
Which server is initiating the connection? The server where you define the export or the server which does the mount? – Wernfried Domscheit Oct 09 '18 at 07:56
-
on BSD systems, 111 is for rpcbind but im sure it serves same purpose as portmapper – Kevin Dec 08 '20 at 02:12
38
In addition to 111 for portmapper and 2049 for nfs, you will need to allow the mountd port and possibly rquotad, lockd, and statd, all of which can be dynamic. This excellent NFS security guide recommends changing your startup scripts and kernel module configs to force them to use static ports.
In addition to the guide above, which has a section on firewalls, see my answer to another question about hardening NFS.
bonsaiviking
- 4,355
- 16
- 26
-
10We really do prefer content, not pointers to content. A précis of the content with a link is ok too and preferred to a link. – user9517 Apr 05 '12 at 21:31
-
3Not sure about 2012 but the recommendation in links seems to be grossly outdated. NFS over TCP is preferred for variety of reason and NFS over UDP can cause silent data corruption on fast link due to protocol limitations. Security guide has no mention of Kerberos/GSS etc. – Maciej Piechotka Dec 26 '16 at 16:46
-
With respect to mountd, life is a lot easier if you reconfigure to ensure the mountd port is fixed. On debian systems, edit the RPCMOUNTDOPTS value to something like `RPCMOUNTDOPTS="--port 34567"` and then restart with `sysctl --system` and `/etc/init.d/nfs-kernel-server restart` – user45793 Jan 17 '19 at 19:53
30
I found useful directions for my problem on this page, but there was no easy to follow recipe. So here's my recipe.
TL;DR - need to allow both nfs ports (111, 2049) and mountd port after fixing it.
Instructions:
Setting up a fixed port for mountd
gksudo gedit /etc/default/nfs-kernel-server
- comment out this line:
RPCMOUNTDOPTS=--manage-gids - add this instead:
RPCMOUNTDOPTS="--port 33333"
Or any other port number.
now try to reset nfs using:
sudo service nfs-kernel-server restart
And test if it helped using:
rpcinfo -p | grep "tcp.*mountd"
For me it wasn't enough, but a full restart fixed the issue.
(credit)
Setting up the firewall
(1) delete old rules, do this manually or reset if this is the only use for the firewall:
sudo ufw reset
sudo ufw enable
(2) add nfs & mountd ports
sudo ufw allow in from 10.0.0.1/20 to any port 111
sudo ufw allow in from 10.0.0.1/20 to any port 2049
sudo ufw allow in from 10.0.0.1/20 to any port 33333
(Change to your local IP's or to "any" instead of 10.0.0.1/20)
That's all there's to it.
Amir Uval
- 401
- 4
- 5
-
3You don't need to restart the entire box. A simple `sudo service nfs-config restart` before restarting the `nfs-kernel-server` will do just fine. – showp1984 Feb 27 '17 at 23:29
-
-
Or if your system uses `systemctl`, it's `systemctl restart nfs-kernel-server.service`. – fbicknel Oct 07 '19 at 20:27
-
You can also do it all in one swell foop: `sudo nfs allow proto tcp from 10.0.0.1/20 to any port 111,2049,33333` followed by (ok, two swell foops) `sudo nfs allow proto udp from 10.0.0.1/20 to any port 111,2049,33333`. Note port 33333 is per the above example. You may use another port as the answer indicates. – fbicknel Oct 07 '19 at 20:30
-
@fbicknel I think you _can_ do it in one "swell foop" if you just remove the `proto tcp` part on the first command :) – jchook Apr 24 '20 at 16:40
-
1
10
This will give a list of all ports used by all NFS-related program:
rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq
charlesnadeau
- 111
- 1
- 2
- 2
2
With FERM one can use Backticks to get the ports from rpcinfo, for example:
Server:
proto tcp {saddr ($CLIENT) {
dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:tcp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}
proto udp {saddr ($CLIENT) {
dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:udp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}
Client:
proto udp {saddr ($SERVER) {ACCEPT;}} # NFS
(If you're only going to use the TCP then you need only the proto tcp part).
2
To mount Synology to Ubuntu 18.04 system, I had to enable ports 111,892,2049
When mounting, here is what I see (NFS 4 is not enabled on my Synology):
root@ub18ovh# mount -a -vv
mount.nfs: trying text-based options 'vers=4.2,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.1,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.0,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=5.6.7.8'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 5.6.7.8 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 5.6.7.8 prog 100005 vers 3 prot UDP port 892
successfully mounted
Slavik
- 189
- 1
- 1
- 7
1
For the records, I had to add permissions for ports 111, 2049 AND 1048 for a configuration where an NFS share is exported by a Windows 2008 R2 server and the clients are Ubuntu 12.04.4.
I hope this helps someone.
Erdem KAYA
- 111
- 1
-
2It might help to explain why you needed port 1048 and how you determined that. – HBruijn Dec 16 '15 at 10:48
-
3Frankly, I don't have a clue why I needed to add a permission for 1048, but adding that solved my problem. I just wanted to share if that can save time someone else in the future. I am sorry for not being able to answer the question. – Erdem KAYA Dec 20 '15 at 10:33
0
if you use csf firewall and nfs does not mount you most likely miss the open ports used by nlockmgr, find them by typing
rpcinfo -p
Next edit /etc/sysctl.conf to LOCK the ports on these numbers (example port) and add these 2 lines. Then restart portmap, nfs-server.
fs.nfs.nlm_udpport=38073
fs.nfs.nlm_tcpport=38747
Glorfindel
- 1,213
- 3
- 15
- 22
RvL
- 11
- 2