NFS: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
No edit summary
m (Text replacement - "<source" to "<syntaxhighlight")
Line 8: Line 8:


* /etc/default/nfs-kernel-server
* /etc/default/nfs-kernel-server
<source lang=ini>
<syntaxhighlight lang=ini>
RPCMOUNTDOPTS="--manage-gids --port 33333"
RPCMOUNTDOPTS="--manage-gids --port 33333"
</source>
</source>
Line 15: Line 15:
You just need it if you still need protocols below NFSv4.
You just need it if you still need protocols below NFSv4.
* /etc/default/nfs-common
* /etc/default/nfs-common
<source lang=ini>
<syntaxhighlight lang=ini>
STATDOPTS="--port 33334 --outgoing-port 33335"
STATDOPTS="--port 33334 --outgoing-port 33335"
</source>
</source>
Line 21: Line 21:
===Bind lockd to specific port===
===Bind lockd to specific port===
* /etc/sysctl.d/nfs-static-ports.conf
* /etc/sysctl.d/nfs-static-ports.conf
<source lang=ini>
<syntaxhighlight lang=ini>
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336
fs.nfs.nlm_udpport = 33336
</source>
</source>
Activate it without rebooting through:
Activate it without rebooting through:
<source lang=bash>
<syntaxhighlight lang=bash>
# sysctl --load /etc/sysctl.d/nfs-static-ports.conf
# sysctl --load /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_tcpport = 33336
Line 34: Line 34:
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!
* /etc/ufw/applications.d/nfs
* /etc/ufw/applications.d/nfs
<source lang=ini>
<syntaxhighlight lang=ini>
[NFS-Server]
[NFS-Server]
title=NFS-Server
title=NFS-Server
Line 40: Line 40:
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp
</source>
</source>
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw allow from 172.16.16.16/28 to any app "NFS-Server"
# ufw allow from 172.16.16.16/28 to any app "NFS-Server"
</source>
</source>
Line 50: Line 50:
* /etc/idmapd.conf
* /etc/idmapd.conf
You should better set a Domain. Set the same Domain on server an client(s)!
You should better set a Domain. Set the same Domain on server an client(s)!
<source lang=ini>
<syntaxhighlight lang=ini>
[General]
[General]
...
...
Line 63: Line 63:
===Disable at least NFSv2===
===Disable at least NFSv2===
* /etc/default/nfs-kernel-server
* /etc/default/nfs-kernel-server
<source lang=ini>
<syntaxhighlight lang=ini>
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2"
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2"
RPCNFSDOPTS="--no-nfs-version 2"
RPCNFSDOPTS="--no-nfs-version 2"
Line 70: Line 70:
===Disable all but NFSv4 and higher===
===Disable all but NFSv4 and higher===
* /etc/default/nfs-kernel-server
* /etc/default/nfs-kernel-server
<source lang=ini>
<syntaxhighlight lang=ini>
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3"
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3"
NEED_STATD="no"
NEED_STATD="no"
Line 79: Line 79:
===Configure ufw===
===Configure ufw===
For plain NFSv4 and up you just need this:
For plain NFSv4 and up you just need this:
<source lang=bash>
<syntaxhighlight lang=bash>
# ufw allow from 172.16.16.16/28 to any port 2049/tcp
# ufw allow from 172.16.16.16/28 to any port 2049/tcp
</source>
</source>
Line 86: Line 86:
===List clients that are connected===
===List clients that are connected===


<source lang=bash>
<syntaxhighlight lang=bash>
# cat /proc/fs/nfsd/clients/*/info  
# cat /proc/fs/nfsd/clients/*/info  
clientid: 0x7829c17160bf7066
clientid: 0x7829c17160bf7066

Revision as of 23:52, 25 November 2021

Some things to know about NFS...

NFSv3

Server

Bind rpc.mountd to specific port

The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better.

  • /etc/default/nfs-kernel-server

<syntaxhighlight lang=ini> RPCMOUNTDOPTS="--manage-gids --port 33333" </source>

Bind statd to specific port

You just need it if you still need protocols below NFSv4.

  • /etc/default/nfs-common

<syntaxhighlight lang=ini> STATDOPTS="--port 33334 --outgoing-port 33335" </source>

Bind lockd to specific port

  • /etc/sysctl.d/nfs-static-ports.conf

<syntaxhighlight lang=ini> fs.nfs.nlm_tcpport = 33336 fs.nfs.nlm_udpport = 33336 </source> Activate it without rebooting through: <syntaxhighlight lang=bash>

  1. sysctl --load /etc/sysctl.d/nfs-static-ports.conf

fs.nfs.nlm_tcpport = 33336 fs.nfs.nlm_udpport = 33336 </source>

Configure ufw

Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!

  • /etc/ufw/applications.d/nfs

<syntaxhighlight lang=ini> [NFS-Server] title=NFS-Server description=NFS Server ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp </source> <syntaxhighlight lang=bash>

  1. ufw allow from 172.16.16.16/28 to any app "NFS-Server"

</source>


NFSv4.1

Server

Configure rpc.idmapd

  • /etc/idmapd.conf

You should better set a Domain. Set the same Domain on server an client(s)! <syntaxhighlight lang=ini> [General] ...

  1. set your own domain here, if it differs from FQDN minus hostname.
  2. you can use a fantasy name, but whatever it is, keep this identical on server and client!

Domain = myfantasy.domain

... </source>

Disable at least NFSv2

  • /etc/default/nfs-kernel-server

<syntaxhighlight lang=ini> STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2" RPCNFSDOPTS="--no-nfs-version 2" </source>

Disable all but NFSv4 and higher

  • /etc/default/nfs-kernel-server

<syntaxhighlight lang=ini> RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3" NEED_STATD="no" NEED_IDMAPD="yes" RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3" </source>

Configure ufw

For plain NFSv4 and up you just need this: <syntaxhighlight lang=bash>

  1. ufw allow from 172.16.16.16/28 to any port 2049/tcp

</source> If you need still NFSv3 look above.

List clients that are connected

<syntaxhighlight lang=bash>

  1. cat /proc/fs/nfsd/clients/*/info

clientid: 0x7829c17160bf7066 address: "172.16.16.17:778" name: "Linux NFSv4.1 client01.domain.tld" minor version: 1 Implementation domain: "kernel.org" Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64" Implementation time: [0, 0] </source>

Server and Client