3

I have a server (Debian 9.6) which mounts an NFSv3 share for backup purposes.

Does it need any specific firewall settings ?

I have found that rcpbind is listening on port 111 and 903 and is installed as a dependecy of nfs-common. However, if I block all ports with ufw and/or kill rpcbind, I can still mount the NFS share.

I don't understand why nfs-common depends on rpcbind if it works without it. Am I missing anything ? Maybe rpcbind is needed for file locking or nfs stats.

Jonathon Reinhart
  • 446
  • 1
  • 8
  • 25
Max
  • 143
  • 1
  • 6

1 Answers1

2

NFS servers normally run a portmapper or rpcbind daemon to advertise their service endpoints to clients. Clients use the rpcbind daemon to determine:

  • What network port each RPC-based service is using
  • What transport protocols each RPC-based service supports

The rpcbind daemon uses a well-known port number (111) to help clients find a service endpoint. Although NFS often uses a standard port number (2049), auxiliary services such as the NLM service can choose any unused port number at random.

From section "Mounting through a firewall" of nfs-common man page.

The reason why if you block access port and you are able to mount it is probably because the connection as been established from the client to the server, so no incoming connection are generated during mount operation, also when you kill the rpcbind process may the mount operation start it again.

AtomiX84
  • 415
  • 2
  • 7
  • Actually, `apt-cache depends nfs-common` gives rpcbind as a direct dependency. – Max Jan 15 '19 at 14:12
  • @Max, it was not showed by running reverse dependency apt rdepend nfs-common – AtomiX84 Jan 15 '19 at 14:29
  • Thanks for your help anyway. As I understand it, `rdepends` shows all the packages depending on a package (reverse dependencies) and `depends` all the dependencies of a package. – Max Jan 15 '19 at 15:51
  • Get it about depends and rdepends, anyway I think my answer (after correct the wrong says on dependency) answer could be considered right, did it? – AtomiX84 Jan 15 '19 at 16:13
  • I'm not sure. You said that `nfs-common` install the NFS server but most tutorials of NFS server setup suggest the `nfs-kernel-server` package. It's still not clear to me why the NFS client would need rpcbind or NFS server. – Max Jan 16 '19 at 07:21
  • I have update the answer. – AtomiX84 Jan 16 '19 at 08:24