NFS service needs rpcbind, which dynamically assigns ports for RPC services. Remote Procedure Call (RPC) is a protocol which one process can used to communicate other server without having to understand network details. So, running NFS behind firewall is completely related to RPC services firewall rules.To allow a client to acces NFS shares behind a firewall, check /etc/sysconfig/nfs configuration file to control which ports the required RPC services run on.
By default /etc/sysconfig/nfs may not exist on system.If it doesn’t exist create it and add following lines.Also you can replace them with unused ports as you wish.
MOUNTD_PORT=port #Controls which TCP and UDP port mountd (rpc.mountd) uses. STATD_PORT=port #Controls which TCP and UDP port status (rpc.statd) uses. #LOCKD_TCPPORT=port #Controls which TCP port nlockmgr (lockd) uses. LOCKD_UDPPORT=port #Controls which UDP port nlockmgr (lockd) uses.
After you define these ports restart nfs service and check /var/log/messages.If NFS service doesn’t start normally, it means that the port you have defined used by another service or process.
#service nfs restart
Run “rpcinfo” command to confirm changes.
#rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 662 status
100024 1 tcp 662 status
100021 1 udp 53748 nlockmgr
100021 3 udp 53748 nlockmgr
100021 4 udp 53748 nlockmgr
100021 1 tcp 14637 nlockmgr
100021 3 tcp 14637 nlockmgr
100021 4 tcp 14637 nlockmgr
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 818 rquotad
100011 2 tcp 818 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 892 mountd
100005 1 tcp 892 mountd
100005 2 udp 892 mountd
100005 2 tcp 892 mountd
100005 3 udp 892 mountd
100005 3 tcp 892 mountd
#service nfs status
Configure a firewall to allow NFS;
- Allow TCP and UDP port 2049 for NFS.
- Allow TCP and UDP port 111 (rpcbind/sunrpc).
- Allow the TCP and UDP port specified with MOUNTD_PORT=”port“
- Allow the TCP and UDP port specified with STATD_PORT=”port“
- Allow the TCP port specified with LOCKD_TCPPORT=”port“
- Allow the UDP port specified with LOCKD_UDPPORT=”port“
Default Ports For Firewall Acces;
2049 111 801 804 LOCKD_TCPPORT=32803 LOCKD_UDPPORT=32769 MOUNTD_PORT=892 STATD_PORT=662
How to Check NFS Server Shares?
#showmount -e NFSserverIP