Which ports do I need to open in the firewall to use NFS?

Solution 1:

$ rpcinfo -p | grep nfs

Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.

There are also ports for Cluster and client status (Port 1110 TCP for the former, and 1110 UDP for the latter) as well as a port for the NFS lock manager (Port 4045 TCP and UDP). Only you can determine which ports you need to allow depending on which services are needed cross-gateway.

Solution 2:

In addition to 111 for portmapper and 2049 for nfs, you will need to allow the mountd port and possibly rquotad, lockd, and statd, all of which can be dynamic. This excellent NFS security guide recommends changing your startup scripts and kernel module configs to force them to use static ports.

In addition to the guide above, which has a section on firewalls, see my answer to another question about hardening NFS.

Solution 3:

I found useful directions for my problem on this page, but there was no easy to follow recipe. So here's my recipe.

TL;DR - need to allow both nfs ports (111, 2049) and mountd port after fixing it.

Instructions:

Setting up a fixed port for mountd

gksudo gedit /etc/default/nfs-kernel-server
  • comment out this line: RPCMOUNTDOPTS=--manage-gids
  • add this instead: RPCMOUNTDOPTS="--port 33333"

Or any other port number.

now try to reset nfs using:

sudo service nfs-kernel-server restart

And test if it helped using:

rpcinfo -p | grep "tcp.*mountd"

For me it wasn't enough, but a full restart fixed the issue.

(credit)

Setting up the firewall

(1) delete old rules, do this manually or reset if this is the only use for the firewall:

sudo ufw reset
sudo ufw enable

(2) add nfs & mountd ports

sudo ufw allow in from 10.0.0.1/20 to any port 111 
sudo ufw allow in from 10.0.0.1/20 to any port 2049
sudo ufw allow in from 10.0.0.1/20 to any port 33333

(Change to your local IP's or to "any" instead of 10.0.0.1/20)

That's all there's to it.

Solution 4:

This will give a list of all ports used by all NFS-related program:

rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq

Solution 5:

With FERM one can use Backticks to get the ports from rpcinfo, for example:

Server:

proto tcp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:tcp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}
proto udp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:udp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}

Client:

proto udp {saddr ($SERVER) {ACCEPT;}}  # NFS

(If you're only going to use the TCP then you need only the proto tcp part).

Tags:

Ubuntu

Nfs

Firewall

Recent Posts