NFS4 and Firewalls


In a pure NFSv4 environment, only port 2049 is required to be allowed though your firewall. Some clients however, such as OS X, use NFS3 and require extra...


Install the NFS server.

Install the package
sudo  apt-get install nfs-kernel-server 

Configure your exports

Configure Static Ports


(This is all that's needed in a read-only environment)

vim  /etc/default/nfs-kernel-server

vim /etc/modprobe.d/local.conf
options lockd nlm_udpport=32768 nlm_tcpport=32768
options nfs callback_tcpport=32764

You also need to make sure lockd loads at boot. If you wait for the rpcmapper service to load it, you won't get the port you specified (or so it seems). Add the lockd module to the end of the existing file.
sudo vim /etc/modules


vim /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"

quotad (This is an optional service and may not be present)
vim /etc/default/quota

Step 3 - Configure The Firewall

While your exports are configured to specific IP addresses, you probably don't want random people connecting to your NFS service attempting to find out. Hense, a firewall. Plus you're probably using it anyway.

sudo vim /etc/ufw/applications.d/nfs-static


sudo ufw allow from to any app nfs-static

Step 2 - Install and Configure the NFS client

Install the package

sudo  apt-get install nfs-common

Mount the exported file system

sudo mount -t nfs home:/someFolder /mnt/someFolder

And add it to your fstab so it sticks after a reboot

home:/someFolder /mnt/someFolder nfs auto 0 0

This would be all you needed -if- you didn't want to run a firewall. I skipped the tcp wrappers config, as we'll be securing with UFW.

OS X Client Side optimization

When you mount a NFS share using the Max Finder, you'll be able to browse folder well, but doing file operations will hand the browser. You'll see this in your NFS server's logs

lockd: cannot monitor

Tell finder not to use locks by editing this file with the following content

sudo vim /etc/nfs.conf

nfs.client.mount.options = nolock

You'll see other comments suggesting you should edit the autofs.conf file and add 'nolocks,locallocks to the automount options. This may or may not have an effect.

sudo vim  /etc/autofs.conf

You can also mount in finder with a version 4 flag. That may help.


Edit the export file and add insecure to the export
vim /etc/exports


client -