Linux nfs tcp port

Which ports do I need to open in the firewall to use NFS?

I’m running Ubuntu 11.10 — setting up NFS to share a directory among many other servers. Which ports are required to be opened on the firewall?

It depends on the version of the protocol you intent to use. NFS 4 only require 2049 while older versions require more.

8 Answers 8

Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.

There are also ports for Cluster and client status (Port 1110 TCP for the former, and 1110 UDP for the latter) as well as a port for the NFS lock manager (Port 4045 TCP and UDP). Only you can determine which ports you need to allow depending on which services are needed cross-gateway.

I did not know about rpcinfo, that is quite useful. I didn’t see the port 111 with the grep nfs , but I left off the grep to learn that 111 is for portmapper . Also good to know! (and like you mentioned, necessary)

@KennyYounger rpcinfo is a useful too. If this answered your question, don’t forget to mark it as the answer for the benefit of future viewers.

You need mountd open when you first mount the filesystem. It runs on a dynamic port, so it won’t always be the same. I put a link to a guide in my answer.

Could you give a brief description of what those services («cluster and client status», «NFS lock manager») do and when they might be needed? If those services are blocked by a firewall, will NFS servers and clients degrade gracefully, or just lock waiting for a response?

In addition to 111 for portmapper and 2049 for nfs, you will need to allow the mountd port and possibly rquotad, lockd, and statd, all of which can be dynamic. This excellent NFS security guide recommends changing your startup scripts and kernel module configs to force them to use static ports.

In addition to the guide above, which has a section on firewalls, see my answer to another question about hardening NFS.

We really do prefer content, not pointers to content. A précis of the content with a link is ok too and preferred to a link.

Not sure about 2012 but the recommendation in links seems to be grossly outdated. NFS over TCP is preferred for variety of reason and NFS over UDP can cause silent data corruption on fast link due to protocol limitations. Security guide has no mention of Kerberos/GSS etc.

With respect to mountd, life is a lot easier if you reconfigure to ensure the mountd port is fixed. On debian systems, edit the RPCMOUNTDOPTS value to something like RPCMOUNTDOPTS=»—port 34567″ and then restart with sysctl —system and /etc/init.d/nfs-kernel-server restart

Читайте также:  Ntp server linux centos

I found useful directions for my problem on this page, but there was no easy to follow recipe. So here’s my recipe.

TL;DR — need to allow both nfs ports (111, 2049) and mountd port after fixing it.

Setting up a fixed port for mountd

gksudo gedit /etc/default/nfs-kernel-server 
  • comment out this line: RPCMOUNTDOPTS=—manage-gids
  • add this instead: RPCMOUNTDOPTS=»—port 33333″

now try to reset nfs using:

sudo service nfs-kernel-server restart 

And test if it helped using:

rpcinfo -p | grep "tcp.*mountd" 

For me it wasn’t enough, but a full restart fixed the issue.

Setting up the firewall (ufw)

(1) delete old rules, do this manually or reset if this is the only use for the firewall:

# WARNING: Don't copy & paste this if you don't understand what it does: # sudo ufw reset # sudo ufw enable 
sudo ufw allow in from 10.0.0.1/20 to any port 111 sudo ufw allow in from 10.0.0.1/20 to any port 2049 sudo ufw allow in from 10.0.0.1/20 to any port 33333 

(Change to your local IP’s or to » any » instead of 10.0.0.1/20 )

You don’t need to restart the entire box. A simple sudo service nfs-config restart before restarting the nfs-kernel-server will do just fine.

You can also do it all in one swell foop: sudo nfs allow proto tcp from 10.0.0.1/20 to any port 111,2049,33333 followed by (ok, two swell foops) sudo nfs allow proto udp from 10.0.0.1/20 to any port 111,2049,33333 . Note port 33333 is per the above example. You may use another port as the answer indicates.

@fbicknel I think you can do it in one «swell foop» if you just remove the proto tcp part on the first command 🙂

This will give a list of all ports used by all NFS-related program:

rpcinfo -p | awk '' | sort -k2n | uniq 

With FERM one can use Backticks to get the ports from rpcinfo, for example:

proto tcp ); $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS >> proto udp ); $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS >> 

(If you’re only going to use the TCP then you need only the proto tcp part).

To mount Synology to Ubuntu 18.04 system, I had to enable ports 111,892,2049

When mounting, here is what I see (NFS 4 is not enabled on my Synology):

root@ub18ovh# mount -a -vv mount.nfs: trying text-based options 'vers=4.2,addr=5.6.7.8,clientaddr=1.2.3.4' mount.nfs: mount(2): Protocol not supported mount.nfs: trying text-based options 'vers=4.1,addr=5.6.7.8,clientaddr=1.2.3.4' mount.nfs: mount(2): Protocol not supported mount.nfs: trying text-based options 'vers=4.0,addr=5.6.7.8,clientaddr=1.2.3.4' mount.nfs: mount(2): Protocol not supported mount.nfs: trying text-based options 'addr=5.6.7.8' mount.nfs: prog 100003, trying vers=3, prot=6 mount.nfs: trying 5.6.7.8 prog 100003 vers 3 prot TCP port 2049 mount.nfs: prog 100005, trying vers=3, prot=17 mount.nfs: trying 5.6.7.8 prog 100005 vers 3 prot UDP port 892 successfully mounted 

Источник

What Ports Does NFS Use

Network File System or NFS is a file system protocol that allows users to share directories and files over a network. The NFS protocol is similar to the Samba protocol. However, unlike Samba, NFS provides an encryption mechanism and authentication. In addition, NFS server access is also restricted to specified hostnames and IP addresses. That makes NFS a much better choice for remote shares compared to Samba.

Читайте также:  Показать размер папки linux

In this tutorial, we will focus on the fundamental networking concepts of NFS, specifically, the ports used by the NFS services. Once we understand the specific ports and services of the NFS share, we can use them to configure security measures such as firewalls and troubleshooting.

How NFS Works

There are three versions of NFS supported at the time of writing this article. NFS v2 is the oldest and the most widely supported.

NFS v3 is newer than NFS V2 and offers more features such as variable size handling, improved error reporting, etc. However, NFS v3 is not compatible with NFS v2 clients.

The most recent version of the NFS v4 provides new and improved features. They include stateful operations, backward compatibility with NFS v2 and NFS v3, removed portmapper requirement, Cross-platform interoperability, better namespace handling, Built-in security with ACLs, and Kerberos.

The following is a comparison of NFS v3 and NFS v 4.

Feature NFS v3 NFS v4
Transport Protocol TCP and UDP TCP with UDP Support on REHL Enterprise
Permission Handling Unix Unix based, SecureNFS, and ModeBit/Kerberos and ACL
Authentication Method Auth_Sys – Weaker Kerberos (Strong)
Personality Stateless Stateful
Semantics Unix Unix and Windows

The table above shows some of the features of NFS protocol 4 vs. NFS protocol 3. If you wish to learn more, consider the official document provided below:

NFS v4 does not use a portmapper, and services required by NFS V2 and V3 are unrequired. Therefore, in NFS v4, only port 2049 is required.

NFS v2 and v2, however, require additional ports and services, which we are going to discuss in this tutorial.

Services Required (NFS v2 and V3)

As mentioned, NFS v2 & v3 use portmap service. The portmap service in Linux handles Remote Procedure Calls, which NFS (v2 and v3) uses to encode and decode requests between the client and the servers.

To implement NFS sharing, the following services are required. Keep in mind that this is only for NFS v2 and v3.

#: Portmapper

Portmapper service is required to run NFS both on the client and the server-side. It runs on Port 111 for both TCP and UDP protocols.

If you are implementing a firewall, ensure sure this port is allowed for incoming and outgoing packets.

#: Mountd

The other service required to run NFS is the mountd daemon. This service runs on the NFS server and is used to handle mount requests from the NFS clients. It is mainly handled by the nfsd service and does not require user configuration.

Читайте также:  Как перезапустить linux ubuntu

However, you can edit the configuration to set a static port in the file /etc/sysconfig/nfs. Locate the / and set:

#: NFSD

This is the NFS daemon that runs on NFS servers. This is a critical service that works with the Linux kernel to provide functionality like server threads for all clients connected to the server.

By default, the NFS daemon is already configured to run a static port of 2049. The port is true on both TCP and UDP protocols.

#: Lockd & Statd

The NFS Lock Manager daemon (lockd) and Status Manager daemon (statd) are other services required r to run NFS. These daemons run on the server-side and the client-side.

The lockd daemon allows the NFS clients to lock files on the NFS server.

On the other hand, the statd daemon is responsible for notifying the users when the NFS server gets restarted without a graceful shutdown. It implements the Network Status Monitor RPC protocol.

Although both of these services are started automatically by the nfslock service, you can configure them to run a static port, which can be useful in firewall configurations.

Set a static port for statd and lockd daemons, edit the /etc/sysconfig/nfs, and enter the following entries.

Quick Recap

Let us take a look at a quick recap of what we just covered.

If you are running NFS v4, all you need is to allow port 2049. However, if you are running either NFS v2 or v3, you need to edit the /etc/sysconfig/nfs file and add the ports for the following services.

  • Mountd – MOUNTD_PORT=port
  • Statd – STATD_PORT=port
  • LOCKD – LOCKD_TCPPORT=port, LOCKD_UDPPORT=port

Finally, you need to ensure that the NFSD daemon is running on port 2049 and the portmapper on port 111

NOTE: If the file /etc/sysconfig/nfs does not exist, create it and add the entries specified in the tutorial.

You can also check the /var/log/messages if the NFS service does not start correctly. Ensure that the ports you specified are not in use.

Example Config

The following is a configuration setting of the NFS server on a CentOS 8 server.

Once you have edited the configuration and added the necessary ports as discussed in the tutorial, restart the service as:

Next, confirm the service is running using the command:

Finally, confirm the ports running using rpcinfo as shown in the command below:

Conclusion

This tutorial discussed the networking basics of the NFS protocol and the ports and services required for both NFS v2, v3, and v4.

Thank you for reading & Be a proud Geek!

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list

Источник

Оцените статью
Adblock
detector