NFS4 and Firewalls

Work and Technology‎ > ‎Operating Systems and Applications‎ > ‎Unix‎ > ‎NFS4‎ > ‎

Overview

In a pure NFSv4 environment, only port 2049 is required to be allowed though your firewall. Some clients however, such as OS X, use NFS3 and require extra...

Procedure

Install the NFS server.

Install the package

sudo apt-get install nfs-kernel-server

Configure your exports

Configure Static Ports

mountd

(This is all that's needed in a read-only environment)

vim /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 2048"

lockd

vim /etc/modprobe.d/local.conf
options lockd nlm_udpport=32768 nlm_tcpport=32768
options nfs callback_tcpport=32764

You also need to make sure lockd loads at boot. If you wait for the rpcmapper service to load it, you won't get the port you specified (or so it seems). Add the lockd module to the end of the existing file.

sudo vim /etc/modules
...
...
lockd

nfsd

statd

vim /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"

quotad (This is an optional service and may not be present)

vim /etc/default/quota
RPCRQUOTADOPTS="-p 32769"

Step 3 - Configure The Firewall

While your exports are configured to specific IP addresses, you probably don't want random people connecting to your NFS service attempting to find out. Hense, a firewall. Plus you're probably using it anyway.

sudo vim /etc/ufw/applications.d/nfs-static

[nfs-static]
title=nfs-static
description=nfs-static
ports=111,2048,2049,32764:32769/udp|111,2048,2049,32764:32769/tcp

sudo ufw allow from 192.168.1.0/24 to any app nfs-static

Step 2 - Install and Configure the NFS client

Install the package

sudo apt-get install nfs-common

Mount the exported file system

sudo mount -t nfs home:/someFolder /mnt/someFolder

And add it to your fstab so it sticks after a reboot

home:/someFolder /mnt/someFolder nfs auto 0 0

This would be all you needed -if- you didn't want to run a firewall. I skipped the tcp wrappers config, as we'll be securing with UFW.

OS X Client Side optimization

When you mount a NFS share using the Max Finder, you'll be able to browse folder well, but doing file operations will hand the browser. You'll see this in your NFS server's logs

lockd: cannot monitor mac.gattis.org

Tell finder not to use locks by editing this file with the following content

sudo vim /etc/nfs.conf
nfs.client.mount.options = nolock

You'll see other comments suggesting you should edit the autofs.conf file and add 'nolocks,locallocks to the automount options. This may or may not have an effect.

sudo vim /etc/autofs.conf
AUTOMOUNTD_MNTOPTS=nosuid,nodev,nolocks,locallocks

You can also mount in finder with a version 4 flag. That may help.

nfs://vers=4,192.168.1.5/srv/nfs4

Edit the export file and add insecure to the export

vim /etc/exports
/srv 192.168.1.0/24(rw,async,fsid=0,insecure,crossmnt,no_subtree_check)

Sources

https://wiki.archlinux.org/index.php/NFS

client - https://help.ubuntu.com/community/SettingUpNFSHowTo

http://www.novell.com/support/kb/doc.php?id=7000524

http://www.whileifblog.com/2012/07/18/ubuntu-server-configure-ufw-to-nfs-in-alternative-port/

http://processors.wiki.ti.com/index.php/NFS_Setup

https://help.ubuntu.com/community/SettingUpNFSHowTo

https://wiki.debian.org/SecuringNFS

Comments

gattis.org

Navigation

Recent site activity