https://www.slackwiki.com/index.php?action=history&feed=atom&title=NFS_and_FirewallNFS and Firewall - Revision history2026-04-08T12:51:21ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.slackwiki.com/index.php?title=NFS_and_Firewall&diff=144&oldid=prevErik: Copy from old2009-06-04T05:26:18Z<p>Copy from old</p>
<p><b>New page</b></p><div>The most recent version of this document can always be found at:<br />
http://rlworkman.net/howtos/NFS_Firewall_HOWTO<br />
--rworkman<br />
<br />
<br />
This document is intended to give you detailed steps for making NFS bind to<br />
user-specified ports instead of random ports assigned by the portmapper.<br />
This makes it *much* easier to run a firewall on the NFS server, as you don't<br />
have to kludge something to find the NFS ports at each boot to open them with <br />
iptables.<br />
<br />
First, you'll want (it's not necessary, but handy to have for later) to make<br />
sure all of this is in /etc/services. I made sure "NFS" is in all of what I<br />
added or modified so that I can easily remove them (or just find them) if I <br />
need them later.<br />
<br />
bash-3.00# grep NFS /etc/services <br />
sunrpc 111/tcp rpcbind # SUN Remote Procedure Call<br />
sunrpc 111/udp rpcbind # SUN Remote Procedure Call <br />
mountd 861/udp # NFS mountd<br />
mountd 861/udp # NFS mountd<br />
rquotad 863/udp # NFS rquotad<br />
rquotad 863/tcp # NFS rquotad<br />
status 865/udp # NFS status (listen)<br />
status 865/tcp # NFS status (listen)<br />
status 866/udp # NFS status (send)<br />
status 866/tcp # NFS status (send)<br />
nfsd 2049/tcp # NFS server daemon<br />
nfsd 2049/udp # NFS server daemon<br />
lockd 4045/udp # NFS lock daemon/manager<br />
lockd 4045/tcp # NFS lock daemon/manager<br />
<br />
Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly:<br />
For other linux distributions, find the script that starts these<br />
daemons and add the needed flags.<br />
* Make the quota daemon listen on port 863<br />
if [ -x /usr/sbin/rpc.rquotad ]; then<br />
echo " /usr/sbin/rpc.rquotad -p 863"<br />
/usr/sbin/rpc.rquotad -p 863<br />
fi<br />
* Make the mount daemon listen on port 861<br />
if [ -x /usr/sbin/rpc.mountd ]; then<br />
echo " /usr/sbin/rpc.mountd -p 861"<br />
/usr/sbin/rpc.mountd -p 861<br />
fi<br />
Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros,<br />
find the script that starts this daemon and add the needed flags).<br />
On older versions (less than 11.0) of Slackware, rpc.statd is started<br />
in rc.nfsd, so look there instead.<br />
*Make the status daemon listen on port 865 and talk on port 866 - note that you'll have to open port 866 on the NFS clients<br />
if ! ps axc | grep -q rpc.statd ; then<br />
echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd -p 865 -o 866"<br />
/sbin/rpc.statd -p 865 -o 866<br />
fi<br />
Finally, make the lock daemon listen on port 4045 only - note that this requires <br />
setting module loading parameters in /etc/modules.conf (for 2.4 kernels) <br />
or /etc/modprobe.conf (for 2.6 kernels) or /etc/modprobe.d/options (for <br />
newer 2.6 kernels with module-init-tools >=3.2.2; create this file if it doesn't <br />
already exist) - it won't hurt to set it in all of them.<br />
You'll need to add this line to the files referenced above.<br />
options lockd nlm_udpport=4045 nlm_tcpport=4045<br />
<br />
Good luck - talk to me on IRC if you have trouble.<br />
<br />
[[Category:Tutorials]]</div>Erik