In the end itwas not that complicated, following the hints in Securing NFS. I modified the files /etc/default/nfs-common
and /etc/default/nfs-kernel-server
according:
nfs-common:
.
.
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS="--port 32765 --outgoing-port 32766"
.
.
nfs-kernel-server:
.
.
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --port 32767"
.
.
Why those ports? As 32767
is the highest 15bit-number, it is very unlikely that these ports are already in use by something else.
I am not using quotas, so I did not modify /etc/default/quota
as suggested. And I had to reboot after I made these changes. Then I saw the result with
$ sudo netstat -nalp | grep rpc
tcp 0 0 0.0.0.0:32767 0.0.0.0:* LISTEN 1018/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 735/rpcbind
tcp 0 0 0.0.0.0:32765 0.0.0.0:* LISTEN 806/rpc.statd
tcp6 0 0 :::32767 :::* LISTEN 1018/rpc.mountd
tcp6 0 0 :::111 :::* LISTEN 735/rpcbind
tcp6 0 0 :::32765 :::* LISTEN 806/rpc.statd
udp 0 0 0.0.0.0:875 0.0.0.0:* 735/rpcbind
udp 0 0 127.0.0.1:982 0.0.0.0:* 806/rpc.statd
udp 0 0 0.0.0.0:32765 0.0.0.0:* 806/rpc.statd
udp 0 0 0.0.0.0:32767 0.0.0.0:* 1018/rpc.mountd
udp 0 0 0.0.0.0:111 0.0.0.0:* 735/rpcbind
udp6 0 0 :::875 :::* 735/rpcbind
udp6 0 0 :::32765 :::* 806/rpc.statd
udp6 0 0 :::32767 :::* 1018/rpc.mountd
udp6 0 0 :::111 :::* 735/rpcbind
unix 2 [ ACC ] STREAM LISTENING 11412 735/rpcbind /run/rpcbind.sock
unix 2 [ ] DGRAM 9521 806/rpc.statd
unix 2 [ ] DGRAM 9614 1018/rpc.mountd
unix 3 [ ] STREAM CONNECTED 11721 862/rpc.idmapd
unix 3 [ ] STREAM CONNECTED 11722 862/rpc.idmapd
As you can see, the ports rpc.mountd
and rpc.statd
are listening to are now static.
When entering showmount
on the client(here 192.168.192.20), Wireshark shows the communication (server is 192.168.192.111). Important here: The GETPORT Call
and the GETPORT reply
, which returns Port:32767
. The communication then uses this port.
Now you should be able to modify the firewall rules according, and then use showmount
and autofs
through firewall.
Just for the record
Following the hints in the comments and my own experience, I found different behaviour in different distributions:
- In current
raspbian jessie
(based on debian
), there is a service nfs-common
(file /etc/init.d/nfs-common
), which when enabled starts e.g. rpc.statd
at boot, respecting the port settings in /etc/default/nfs-common
.
- In current
Ubuntu 16.04
there is no such service. rpc.statd
is not started at boot, as it is not needed with NFS V4. But as soon as mount .... -o nfsvers=3
is done, rpc.statd
is started, respecting the port settings in /etc/default/nfs-common
.
I did not find a consistent documentation on that; in How to configure NFS the file /etc/init.d/nfs-common
is explicitly mentioned, although it is not in the package. If anyone has hints/links on that it would be richly deserved.
One more remark: man rpc.mountd
and man rpc.statd
say (for option --port
):
"If this option is not specified, rpc.statd will try to consult /etc/services, if gets port succeed, set the same port for all listener socket, otherwise chooses a random ephemeral port for each listener socket."
Even when setting the ports in /etc/services
(as suggested in the above mentioned wiki), this did not work. So modifying the files in /etc/default
seems mandatory - the man pages are not correct at that point.
Best Answer
I did some more research into this. Ubuntu is using the UFW, which is extremely easy to configure, yet very potent, at least for soho needs. So, the rpc.mountd listens on multiple ports by default thus you have to bind rpc.mountd to one port, then you can add an additional UFW rule to accept incoming connection on that particular port.
To do so, open /etc/default/nfs-kernel-server and comment out the line
and add the following line
13025 is just a randomly selected port, something that is available and isn't already defined in /etc/services.
Restart NFSd with
sudo /etc/init.d/nfs-kernel-server restart
Now configure the UFW to accept incoming connections on port 13025, 2049 and port 111.
That's it. You should now be able to mount your exports form another machine. :-)