[CentOS] NFS client firewall config?

Thu Feb 18 11:11:20 UTC 2010
Tony Molloy <tony.molloy at ul.ie>

On Thursday 18 February 2010 11:00:53 Rudi Ahlers wrote:
> Hi all,
> 
> Which ports do I need to have open on an NFS client's firewall to allow it
> to connect to a remote NFS servers?
> 
> When I disable iptables (using ConfigServerFirewall), it connects fine, but
> as soon as I enable it, NFS gives me this error:
> root at saturn:[~]$ mount master1.mydomain.co.za:/saturn /bck
> mount: mount to NFS server 'master1.mydomain.co.za' failed: RPC Error:
> Unable to send.
> 
> I have added ports 111 & 2049 in both the TCP & UDP ingres & exgress
>  ranges, but that doesn't seem to help. portmap & nfs is running as well.
>  But as I say, as soon as I disable the firewall, it mounts fine.
> 
> Google search results reveal a lot of different ports, like 4000:4004,
> 83xxxx (something, I forgot) but it still doesn't help.
> 
> 
> root at saturn:[~]$ rpcinfo -p
>    program vers proto   port
>     100000    2   tcp    111  portmapper
>     100000    2   udp    111  portmapper
>     100021    1   udp  48996  nlockmgr
>     100021    3   udp  48996  nlockmgr
>     100021    4   udp  48996  nlockmgr
>     100021    1   tcp  47195  nlockmgr
>     100021    3   tcp  47195  nlockmgr
>     100021    4   tcp  47195  nlockmgr
>     100011    1   udp   4004  rquotad
>     100011    2   udp   4004  rquotad
>     100011    1   tcp   4004  rquotad
>     100011    2   tcp   4004  rquotad
>     100003    2   udp   2049  nfs
>     100003    3   udp   2049  nfs
>     100003    4   udp   2049  nfs
>     100003    2   tcp   2049  nfs
>     100003    3   tcp   2049  nfs
>     100003    4   tcp   2049  nfs
>     100005    1   udp   4003  mountd
>     100005    1   tcp   4003  mountd
>     100005    2   udp   4003  mountd
>     100005    2   tcp   4003  mountd
>     100005    3   udp   4003  mountd
>     100005    3   tcp   4003  mountd
> 

Hi,

NFS by default uses random high numbered ports. See "48996  nlockmgr" above. 
You need to tie them down to allow them through your firewall

Create the following file /etc/sysconfig/nfs

#/etc/sysconfig/nfs
# Created 05.07.05 by Tony Molloy

# Number of NFS threads to run
RPCNFSDCOUNT=48

# ports for statd daemon
STATD_PORT=4000
STATD_OUTGOING_PORT=4004

# ports for lockd daemon
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001

# ports for mountd daemon
#MOUNTD_NFS_V2=no
#MOUNTD_NFS_V3=no
MOUNTD_PORT=4002

# ports for rquota daemon
#RQUOTAD=no
RQUOTAD_PORT=4003


Then open ports 4000:4004 in you firewall as well as port 111 the portmapper 
and port 2049 for NFS

Hope this helps,

Tony

 
-- 

Chief Technical Officer.                   Tel: +353 061-202778
Dept. of Comp. Sci.
University of Limerick.