21

I've set up an nfsv4 server and it's working fine, however the firewall is blocking nfs even if port 2049 and 111 are open.

I know nfs uses some random ports that change at every boot, but how can i make them static so i can use nfs without disabling my firewall again?

JaR
  • 888

3 Answers3

47

I did some more research into this. Ubuntu is using the UFW, which is extremely easy to configure, yet very potent, at least for soho needs. So, the rpc.mountd listens on multiple ports by default thus you have to bind rpc.mountd to one port, then you can add an additional UFW rule to accept incoming connection on that particular port.

To do so, open /etc/default/nfs-kernel-server and comment out the line

RPCMOUNTDOPTS=--manage-gids

and add the following line

RPCMOUNTDOPTS="-p 13025"

13025 is just a randomly selected port, something that is available and isn't already defined in /etc/services.

Restart NFSd with sudo systemctl restart nfs-kernel-server (or sudo /etc/init.d/nfs-kernel-server restart on older Ubuntu versions).

Now configure the UFW to accept incoming connections on port 13025, 2049 and port 111.

ufw allow from 192.168.1.0/24 to any port 111
ufw allow from 192.168.1.0/24 to any port 2049
ufw allow from 192.168.1.0/24 to any port 13025

That's it. You should now be able to mount your exports form another machine. :-)

holocronweaver
  • 968
JaR
  • 888
12

Accepted answer is correct for old versions of Ubuntu. But now I am using Ubuntu 22, and after trying this option (was working fine in my previous ubuntus on my raspberry pi) seems that is not valid any more.

According to this link.

the /etc/default/nfs-* files are ignored by the NFS server or client in Ubuntu 22.04.

That means that the proposed solution of @Jar is not longer valid.

What must be done now, is editing /etc/nfs.conf and according to this link. Update this config:

[mountd]
#port=0

Uncommenting the line #port=0 and replacing the port with the desired number (i.e. 13025 following the other examples).

[mountd]
port=13025

After this, restart the server:

systemctl restart nfs-server

And ensure that the port 13025 now is correctly opened with rpcinfo -p giving and output such as:

   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  13025  mountd
    100005    1   tcp  13025  mountd
    100005    2   udp  13025  mountd
    100005    2   tcp  13025  mountd
    100005    3   udp  13025  mountd
    100005    3   tcp  13025  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs

Now must work as expected. Obviusly, remeber to open your firewall to the ports 2049, 111, 13025. As explained on the previous answers:

ufw allow from 192.168.1.0/24 to any port 111
ufw allow from 192.168.1.0/24 to any port 2049
ufw allow from 192.168.1.0/24 to any port 13025
King Midas
  • 581
5

You don't have to do complex operations with new versions of Ubuntu. Ubuntu 18.04 ufw and nfs-kernel-server.

Just use this command to allow nfs on your host

sudo ufw allow from your_client_ip to any port nfs

or

sudo ufw allow from your_client_ip_block/24 to any port nfs
Gokhan Boranalp aka kunthar
  • 151