Which ports do I need to open in the firewall to use NFS?

Question

I'm running Ubuntu 11.10 - setting up NFS to share a directory among many other servers. Which ports are required to be opened on the firewall?

Answer 1

$ rpcinfo -p | grep nfs

Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.

There are also ports for Cluster and client status (Port 1110 TCP for the former, and 1110 UDP for the latter) as well as a port for the NFS lock manager (Port 4045 TCP and UDP). Only you can determine which ports you need to allow depending on which services are needed cross-gateway.

Answer 2

In addition to 111 for portmapper and 2049 for nfs, you will need to allow the mountd port and possibly rquotad, lockd, and statd, all of which can be dynamic. This excellent NFS security guide recommends changing your startup scripts and kernel module configs to force them to use static ports.

In addition to the guide above, which has a section on firewalls, see my answer to another question about hardening NFS.

Answer 3

I found useful directions for my problem on this page, but there was no easy to follow recipe. So here's my recipe.

TL;DR - need to allow both nfs ports (111, 2049) and mountd port after fixing it.

Instructions:

---

Setting up a fixed port for mountd

gksudo gedit /etc/default/nfs-kernel-server

• comment out this line: RPCMOUNTDOPTS=--manage-gids
• add this instead: RPCMOUNTDOPTS="--port 33333"

Or any other port number.

now try to reset nfs using:

sudo service nfs-kernel-server restart

And test if it helped using:

rpcinfo -p | grep "tcp.*mountd"

For me it wasn't enough, but a full restart fixed the issue.

(credit)

---

Setting up the firewall (ufw)

(1) delete old rules, do this manually or reset if this is the only use for the firewall:

# WARNING: Don't copy & paste this if you don't understand what it does:
# sudo ufw reset
# sudo ufw enable

(2) add nfs & mountd ports

sudo ufw allow in from 10.0.0.1/20 to any port 111 
sudo ufw allow in from 10.0.0.1/20 to any port 2049
sudo ufw allow in from 10.0.0.1/20 to any port 33333

(Change to your local IP's or to "any" instead of 10.0.0.1/20)

That's all there's to it.

Answer 4

This will give a list of all ports used by all NFS-related program:

rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq

Answer 5

With FERM one can use Backticks to get the ports from rpcinfo, for example:

Server:

proto tcp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:tcp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}
proto udp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:udp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}

Client:

proto udp {saddr ($SERVER) {ACCEPT;}}  # NFS

(If you're only going to use the TCP then you need only the proto tcp part).

Answer 6

To mount Synology to Ubuntu 18.04 system, I had to enable ports 111,892,2049

When mounting, here is what I see (NFS 4 is not enabled on my Synology):

root@ub18ovh# mount -a -vv
mount.nfs: trying text-based options 'vers=4.2,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.1,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.0,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=5.6.7.8'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 5.6.7.8 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 5.6.7.8 prog 100005 vers 3 prot UDP port 892
successfully mounted

Answer 7

if you use csf firewall and nfs does not mount you most likely miss the open ports used by nlockmgr, find them by typing

rpcinfo -p

Next edit /etc/sysctl.conf to LOCK the ports on these numbers (example port) and add these 2 lines. Then restart portmap, nfs-server.

fs.nfs.nlm_udpport=38073
fs.nfs.nlm_tcpport=38747

Answer 8

For the records, I had to add permissions for ports 111, 2049 AND 1048 for a configuration where an NFS share is exported by a Windows 2008 R2 server and the clients are Ubuntu 12.04.4.

I hope this helps someone.

Answer 9

These ports also need to be added to your NFS configuration file:

LOCKD_TCPPORT=32803

LOCKD_UDPPORT=32769

MOUNTD_PORT=892

STATD_PORT=662

In Debian, the file to edit is /etc/nfs.conf

The ports you select don't matter as long as they are not used by other services.

Make sure you add them to your ufw or iptables configuration to allow nfs connections from clients.

Lastly, restart the firewall and NFS server.

Answer 10

Debian Users: Setting up a fixed port for mountd

Debian manages the mountd port by having the manage-gids=y so you have to set it to "n" /etc/nfs.conf

    [mountd]
    # debug="all|auth|call|general|parse"
    manage-gids=n
    # descriptors=0
     port=20048
    # threads=1
    # reverse-lookup=n
    # state-directory-path=/var/lib/nfs
    # ha-callout=
    # cache-use-ipaddr=n
    # ttl=1800

without setting it to "n", no matter how you set a static port number in any variation, it will not set the port. In /etc/default/nfs-kernel-server you don't have to change anything

    # Options for rpc.mountd.
    # If you have a port-based firewall, you might want to set up
    # a fixed port here using the --port option. For more information, 
    # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
    # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
    RPCMOUNTDOPTS="--manage-gids"

However, I've tested with

1. default,
2. with #RPCMOUNTDOPTS="--manage-gids",
3. added RPCMOUNTDOPTS="--port 20048" with #RPCMOUNTDOPTS="--manage-gids" or RPCMOUNTDOPTS="--manage-gids",

the static port was set and remain as 20048.