NFS and Firewall - Revision history https://www.slackwiki.com/index.php?title=NFS_and_Firewall&action=history Revision history for this page on the wiki en MediaWiki 1.40.0 Wed, 08 Apr 2026 12:51:21 GMT Erik: Copy from old https://www.slackwiki.com/index.php?title=NFS_and_Firewall&diff=144&oldid=prev https://www.slackwiki.com/index.php?title=NFS_and_Firewall&diff=144&oldid=prev <p>Copy from old</p> <p><b>New page</b></p><div>The most recent version of this document can always be found at:<br /> http://rlworkman.net/howtos/NFS_Firewall_HOWTO<br /> --rworkman<br /> <br /> <br /> This document is intended to give you detailed steps for making NFS bind to<br /> user-specified ports instead of random ports assigned by the portmapper.<br /> This makes it *much* easier to run a firewall on the NFS server, as you don't<br /> have to kludge something to find the NFS ports at each boot to open them with <br /> iptables.<br /> <br /> First, you'll want (it's not necessary, but handy to have for later) to make<br /> sure all of this is in /etc/services. I made sure &quot;NFS&quot; is in all of what I<br /> added or modified so that I can easily remove them (or just find them) if I <br /> need them later.<br /> <br /> bash-3.00# grep NFS /etc/services <br /> sunrpc 111/tcp rpcbind # SUN Remote Procedure Call<br /> sunrpc 111/udp rpcbind # SUN Remote Procedure Call <br /> mountd 861/udp # NFS mountd<br /> mountd 861/udp # NFS mountd<br /> rquotad 863/udp # NFS rquotad<br /> rquotad 863/tcp # NFS rquotad<br /> status 865/udp # NFS status (listen)<br /> status 865/tcp # NFS status (listen)<br /> status 866/udp # NFS status (send)<br /> status 866/tcp # NFS status (send)<br /> nfsd 2049/tcp # NFS server daemon<br /> nfsd 2049/udp # NFS server daemon<br /> lockd 4045/udp # NFS lock daemon/manager<br /> lockd 4045/tcp # NFS lock daemon/manager<br /> <br /> Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly:<br /> For other linux distributions, find the script that starts these<br /> daemons and add the needed flags.<br /> * Make the quota daemon listen on port 863<br /> if [ -x /usr/sbin/rpc.rquotad ]; then<br /> echo &quot; /usr/sbin/rpc.rquotad -p 863&quot;<br /> /usr/sbin/rpc.rquotad -p 863<br /> fi<br /> * Make the mount daemon listen on port 861<br /> if [ -x /usr/sbin/rpc.mountd ]; then<br /> echo &quot; /usr/sbin/rpc.mountd -p 861&quot;<br /> /usr/sbin/rpc.mountd -p 861<br /> fi<br /> Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros,<br /> find the script that starts this daemon and add the needed flags).<br /> On older versions (less than 11.0) of Slackware, rpc.statd is started<br /> in rc.nfsd, so look there instead.<br /> *Make the status daemon listen on port 865 and talk on port 866 - note that you'll have to open port 866 on the NFS clients<br /> if ! ps axc | grep -q rpc.statd ; then<br /> echo &quot;Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd -p 865 -o 866&quot;<br /> /sbin/rpc.statd -p 865 -o 866<br /> fi<br /> Finally, make the lock daemon listen on port 4045 only - note that this requires <br /> setting module loading parameters in /etc/modules.conf (for 2.4 kernels) <br /> or /etc/modprobe.conf (for 2.6 kernels) or /etc/modprobe.d/options (for <br /> newer 2.6 kernels with module-init-tools &gt;=3.2.2; create this file if it doesn't <br /> already exist) - it won't hurt to set it in all of them.<br /> You'll need to add this line to the files referenced above.<br /> options lockd nlm_udpport=4045 nlm_tcpport=4045<br /> <br /> Good luck - talk to me on IRC if you have trouble.<br /> <br /> [[Category:Tutorials]]</div> Thu, 04 Jun 2009 05:26:18 GMT Erik https://www.slackwiki.com/Talk:NFS_and_Firewall