NFS4 and Firewalls

Overview

In a pure NFSv4 environment, only port 2049 is required to be allowed though your firewall. Some clients however, such as OS X, use NFS3 and require extra...

Procedure

Install the NFS server.

Install the package
sudo  apt-get install nfs-kernel-server 


Configure your exports







Configure Static Ports

mountd

(This is all that's needed in a read-only environment)

vim  /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 2048"

lockd
vim /etc/modprobe.d/local.conf
options lockd nlm_udpport=32768 nlm_tcpport=32768
options nfs callback_tcpport=32764

You also need to make sure lockd loads at boot. If you wait for the rpcmapper service to load it, you won't get the port you specified (or so it seems). Add the lockd module to the end of the existing file.
sudo vim /etc/modules
...
...
lockd





 nfsd




statd
vim /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"

quotad (This is an optional service and may not be present)
vim /etc/default/quota
RPCRQUOTADOPTS="-p 32769"




Step 3 - Configure The Firewall

While your exports are configured to specific IP addresses, you probably don't want random people connecting to your NFS service attempting to find out. Hense, a firewall. Plus you're probably using it anyway.

sudo vim /etc/ufw/applications.d/nfs-static

[nfs-static]
title=nfs-static
description=nfs-static
ports=111,2048,2049,32764:32769/udp|111,2048,2049,32764:32769/tcp

sudo ufw allow from 192.168.1.0/24 to any app nfs-static




Step 2 - Install and Configure the NFS client



Install the package

sudo  apt-get install nfs-common


Mount the exported file system

sudo mount -t nfs home:/someFolder /mnt/someFolder


And add it to your fstab so it sticks after a reboot

home:/someFolder /mnt/someFolder nfs auto 0 0


This would be all you needed -if- you didn't want to run a firewall. I skipped the tcp wrappers config, as we'll be securing with UFW.


OS X Client Side optimization

When you mount a NFS share using the Max Finder, you'll be able to browse folder well, but doing file operations will hand the browser. You'll see this in your NFS server's logs

lockd: cannot monitor mac.gattis.org

Tell finder not to use locks by editing this file with the following content

sudo vim /etc/nfs.conf

nfs.client.mount.options = nolock


You'll see other comments suggesting you should edit the autofs.conf file and add 'nolocks,locallocks to the automount options. This may or may not have an effect.

sudo vim  /etc/autofs.conf
AUTOMOUNTD_MNTOPTS=nosuid,nodev,nolocks,locallocks

You can also mount in finder with a version 4 flag. That may help.

nfs://vers=4,192.168.1.5/srv/nfs4



Edit the export file and add insecure to the export
vim /etc/exports
/srv  192.168.1.0/24(rw,async,fsid=0,insecure,crossmnt,no_subtree_check)

Sources

https://wiki.archlinux.org/index.php/NFS



client - https://help.ubuntu.com/community/SettingUpNFSHowTo
http://www.novell.com/support/kb/doc.php?id=7000524
http://www.whileifblog.com/2012/07/18/ubuntu-server-configure-ufw-to-nfs-in-alternative-port/
http://processors.wiki.ti.com/index.php/NFS_Setup
https://help.ubuntu.com/community/SettingUpNFSHowTo
https://wiki.debian.org/SecuringNFS
Comments