NFS: Difference between revisions
No edit summary |
m (Text replacement - "<source" to "<syntaxhighlight") |
||
| Line 8: | Line 8: | ||
* /etc/default/nfs-kernel-server | * /etc/default/nfs-kernel-server | ||
< | <syntaxhighlight lang=ini> | ||
RPCMOUNTDOPTS="--manage-gids --port 33333" | RPCMOUNTDOPTS="--manage-gids --port 33333" | ||
</source> | </source> | ||
| Line 15: | Line 15: | ||
You just need it if you still need protocols below NFSv4. | You just need it if you still need protocols below NFSv4. | ||
* /etc/default/nfs-common | * /etc/default/nfs-common | ||
< | <syntaxhighlight lang=ini> | ||
STATDOPTS="--port 33334 --outgoing-port 33335" | STATDOPTS="--port 33334 --outgoing-port 33335" | ||
</source> | </source> | ||
| Line 21: | Line 21: | ||
===Bind lockd to specific port=== | ===Bind lockd to specific port=== | ||
* /etc/sysctl.d/nfs-static-ports.conf | * /etc/sysctl.d/nfs-static-ports.conf | ||
< | <syntaxhighlight lang=ini> | ||
fs.nfs.nlm_tcpport = 33336 | fs.nfs.nlm_tcpport = 33336 | ||
fs.nfs.nlm_udpport = 33336 | fs.nfs.nlm_udpport = 33336 | ||
</source> | </source> | ||
Activate it without rebooting through: | Activate it without rebooting through: | ||
< | <syntaxhighlight lang=bash> | ||
# sysctl --load /etc/sysctl.d/nfs-static-ports.conf | # sysctl --load /etc/sysctl.d/nfs-static-ports.conf | ||
fs.nfs.nlm_tcpport = 33336 | fs.nfs.nlm_tcpport = 33336 | ||
| Line 34: | Line 34: | ||
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too! | Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too! | ||
* /etc/ufw/applications.d/nfs | * /etc/ufw/applications.d/nfs | ||
< | <syntaxhighlight lang=ini> | ||
[NFS-Server] | [NFS-Server] | ||
title=NFS-Server | title=NFS-Server | ||
| Line 40: | Line 40: | ||
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp | ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp | ||
</source> | </source> | ||
< | <syntaxhighlight lang=bash> | ||
# ufw allow from 172.16.16.16/28 to any app "NFS-Server" | # ufw allow from 172.16.16.16/28 to any app "NFS-Server" | ||
</source> | </source> | ||
| Line 50: | Line 50: | ||
* /etc/idmapd.conf | * /etc/idmapd.conf | ||
You should better set a Domain. Set the same Domain on server an client(s)! | You should better set a Domain. Set the same Domain on server an client(s)! | ||
< | <syntaxhighlight lang=ini> | ||
[General] | [General] | ||
... | ... | ||
| Line 63: | Line 63: | ||
===Disable at least NFSv2=== | ===Disable at least NFSv2=== | ||
* /etc/default/nfs-kernel-server | * /etc/default/nfs-kernel-server | ||
< | <syntaxhighlight lang=ini> | ||
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2" | STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2" | ||
RPCNFSDOPTS="--no-nfs-version 2" | RPCNFSDOPTS="--no-nfs-version 2" | ||
| Line 70: | Line 70: | ||
===Disable all but NFSv4 and higher=== | ===Disable all but NFSv4 and higher=== | ||
* /etc/default/nfs-kernel-server | * /etc/default/nfs-kernel-server | ||
< | <syntaxhighlight lang=ini> | ||
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3" | RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3" | ||
NEED_STATD="no" | NEED_STATD="no" | ||
| Line 79: | Line 79: | ||
===Configure ufw=== | ===Configure ufw=== | ||
For plain NFSv4 and up you just need this: | For plain NFSv4 and up you just need this: | ||
< | <syntaxhighlight lang=bash> | ||
# ufw allow from 172.16.16.16/28 to any port 2049/tcp | # ufw allow from 172.16.16.16/28 to any port 2049/tcp | ||
</source> | </source> | ||
| Line 86: | Line 86: | ||
===List clients that are connected=== | ===List clients that are connected=== | ||
< | <syntaxhighlight lang=bash> | ||
# cat /proc/fs/nfsd/clients/*/info | # cat /proc/fs/nfsd/clients/*/info | ||
clientid: 0x7829c17160bf7066 | clientid: 0x7829c17160bf7066 | ||
Revision as of 23:52, 25 November 2021
Some things to know about NFS...
NFSv3
Server
Bind rpc.mountd to specific port
The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better.
- /etc/default/nfs-kernel-server
<syntaxhighlight lang=ini> RPCMOUNTDOPTS="--manage-gids --port 33333" </source>
Bind statd to specific port
You just need it if you still need protocols below NFSv4.
- /etc/default/nfs-common
<syntaxhighlight lang=ini> STATDOPTS="--port 33334 --outgoing-port 33335" </source>
Bind lockd to specific port
- /etc/sysctl.d/nfs-static-ports.conf
<syntaxhighlight lang=ini> fs.nfs.nlm_tcpport = 33336 fs.nfs.nlm_udpport = 33336 </source> Activate it without rebooting through: <syntaxhighlight lang=bash>
- sysctl --load /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336 fs.nfs.nlm_udpport = 33336 </source>
Configure ufw
Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!
- /etc/ufw/applications.d/nfs
<syntaxhighlight lang=ini> [NFS-Server] title=NFS-Server description=NFS Server ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp </source> <syntaxhighlight lang=bash>
- ufw allow from 172.16.16.16/28 to any app "NFS-Server"
</source>
NFSv4.1
Server
Configure rpc.idmapd
- /etc/idmapd.conf
You should better set a Domain. Set the same Domain on server an client(s)! <syntaxhighlight lang=ini> [General] ...
- set your own domain here, if it differs from FQDN minus hostname.
- you can use a fantasy name, but whatever it is, keep this identical on server and client!
Domain = myfantasy.domain
... </source>
Disable at least NFSv2
- /etc/default/nfs-kernel-server
<syntaxhighlight lang=ini> STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2" RPCNFSDOPTS="--no-nfs-version 2" </source>
Disable all but NFSv4 and higher
- /etc/default/nfs-kernel-server
<syntaxhighlight lang=ini> RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3" NEED_STATD="no" NEED_IDMAPD="yes" RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3" </source>
Configure ufw
For plain NFSv4 and up you just need this: <syntaxhighlight lang=bash>
- ufw allow from 172.16.16.16/28 to any port 2049/tcp
</source> If you need still NFSv3 look above.
List clients that are connected
<syntaxhighlight lang=bash>
- cat /proc/fs/nfsd/clients/*/info
clientid: 0x7829c17160bf7066 address: "172.16.16.17:778" name: "Linux NFSv4.1 client01.domain.tld" minor version: 1 Implementation domain: "kernel.org" Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64" Implementation time: [0, 0] </source>
