NFS Blocked by UFW Despite Open Ports – Troubleshooting

11.04nfsufw

I've set up an nfsv4 server and it's working fine, however the firewall is blocking nfs even if port 2049 and 111 are open.

I know nfs uses some random ports that change at every boot, but how can i make them static so i can use nfs without disabling my firewall again?

Best Answer

I did some more research into this. Ubuntu is using the UFW, which is extremely easy to configure, yet very potent, at least for soho needs. So, the rpc.mountd listens on multiple ports by default thus you have to bind rpc.mountd to one port, then you can add an additional UFW rule to accept incoming connection on that particular port.

To do so, open /etc/default/nfs-kernel-server and comment out the line

RPCMOUNTDOPTS=--manage-gids

and add the following line

RPCMOUNTDOPTS="-p 13025"

13025 is just a randomly selected port, something that is available and isn't already defined in /etc/services.

Restart NFSd with sudo /etc/init.d/nfs-kernel-server restart

Now configure the UFW to accept incoming connections on port 13025, 2049 and port 111.

ufw allow from 192.168.1.0/24 to any port 111
ufw allow from 192.168.1.0/24 to any port 2049
ufw allow from 192.168.1.0/24 to any port 13025

That's it. You should now be able to mount your exports form another machine. :-)

Related Solutions

Ubuntu – Firewall problem using autofs with NFS-exported mounts

In the end itwas not that complicated, following the hints in Securing NFS. I modified the files /etc/default/nfs-common and /etc/default/nfs-kernel-server according:

nfs-common:

.
.
# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS
STATDOPTS="--port 32765 --outgoing-port 32766"
.
.

nfs-kernel-server:

.
.
# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
RPCMOUNTDOPTS="--manage-gids --port 32767"
.
.

Why those ports? As 32767 is the highest 15bit-number, it is very unlikely that these ports are already in use by something else.

I am not using quotas, so I did not modify /etc/default/quota as suggested. And I had to reboot after I made these changes. Then I saw the result with

$ sudo netstat -nalp | grep rpc

tcp        0      0 0.0.0.0:32767           0.0.0.0:*               LISTEN      1018/rpc.mountd 
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      735/rpcbind     
tcp        0      0 0.0.0.0:32765           0.0.0.0:*               LISTEN      806/rpc.statd   
tcp6       0      0 :::32767                :::*                    LISTEN      1018/rpc.mountd 
tcp6       0      0 :::111                  :::*                    LISTEN      735/rpcbind     
tcp6       0      0 :::32765                :::*                    LISTEN      806/rpc.statd   
udp        0      0 0.0.0.0:875             0.0.0.0:*                           735/rpcbind     
udp        0      0 127.0.0.1:982           0.0.0.0:*                           806/rpc.statd   
udp        0      0 0.0.0.0:32765           0.0.0.0:*                           806/rpc.statd   
udp        0      0 0.0.0.0:32767           0.0.0.0:*                           1018/rpc.mountd 
udp        0      0 0.0.0.0:111             0.0.0.0:*                           735/rpcbind     
udp6       0      0 :::875                  :::*                                735/rpcbind     
udp6       0      0 :::32765                :::*                                806/rpc.statd   
udp6       0      0 :::32767                :::*                                1018/rpc.mountd 
udp6       0      0 :::111                  :::*                                735/rpcbind     
unix  2      [ ACC ]     STREAM     LISTENING     11412    735/rpcbind         /run/rpcbind.sock
unix  2      [ ]         DGRAM                    9521     806/rpc.statd       
unix  2      [ ]         DGRAM                    9614     1018/rpc.mountd     
unix  3      [ ]         STREAM     CONNECTED     11721    862/rpc.idmapd      
unix  3      [ ]         STREAM     CONNECTED     11722    862/rpc.idmapd

As you can see, the ports rpc.mountd and rpc.statd are listening to are now static.

When entering showmounton the client(here 192.168.192.20), Wireshark shows the communication (server is 192.168.192.111). Important here: The GETPORT Call and the GETPORT reply, which returns Port:32767. The communication then uses this port.

Now you should be able to modify the firewall rules according, and then use showmountand autofs through firewall.

Just for the record

Following the hints in the comments and my own experience, I found different behaviour in different distributions:

In current raspbian jessie (based on debian), there is a service nfs-common (file /etc/init.d/nfs-common), which when enabled starts e.g. rpc.statd at boot, respecting the port settings in /etc/default/nfs-common.
In current Ubuntu 16.04 there is no such service. rpc.statdis not started at boot, as it is not needed with NFS V4. But as soon as mount .... -o nfsvers=3 is done, rpc.statd is started, respecting the port settings in /etc/default/nfs-common.

I did not find a consistent documentation on that; in How to configure NFS the file /etc/init.d/nfs-common is explicitly mentioned, although it is not in the package. If anyone has hints/links on that it would be richly deserved.

One more remark: man rpc.mountd and man rpc.statd say (for option --port):

"If this option is not specified, rpc.statd will try to consult /etc/services, if gets port succeed, set the same port for all listener socket, otherwise chooses a random ephemeral port for each listener socket."

Even when setting the ports in /etc/services (as suggested in the above mentioned wiki), this did not work. So modifying the files in /etc/default seems mandatory - the man pages are not correct at that point.

Best Answer

Related Solutions

Ubuntu – Firewall problem using autofs with NFS-exported mounts

Related Question