NFS

From Lolly's Wiki
Jump to navigationJump to search

Some things to know about NFS...

NFSv3

Server

Bind rpc.mountd to specific port

The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better.

  • /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333"

Bind statd to specific port

You just need it if you still need protocols below NFSv4.

  • /etc/default/nfs-common
STATDOPTS="--port 33334 --outgoing-port 33335"

Bind lockd to specific port

  • /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336

Activate it without rebooting through: 

# sysctl --load /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336

Configure ufw

Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!

  • /etc/ufw/applications.d/nfs
[NFS-Server]
title=NFS-Server
description=NFS Server
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp

# ufw allow from 172.16.16.16/28 to any app "NFS-Server"


NFSv4.1

Server

Configure rpc.idmapd

  • /etc/idmapd.conf

You should better set a Domain. Set the same Domain on server an client(s)! 

[General]
...

# set your own domain here, if it differs from FQDN minus hostname.
# you can use a fantasy name, but whatever it is, keep this identical on server and client!
Domain = myfantasy.domain

...

Disable at least NFSv2

  • /etc/default/nfs-kernel-server
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2"
RPCNFSDOPTS="--no-nfs-version 2"

Disable all but NFSv4 and higher

  • /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3"
NEED_STATD="no"
NEED_IDMAPD="yes"
RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3"

Configure ufw

For plain NFSv4 and up you just need this: 

# ufw allow from 172.16.16.16/28 to any port 2049/tcp

If you need still NFSv3 look above.

List clients that are connected

# cat /proc/fs/nfsd/clients/*/info 
clientid: 0x7829c17160bf7066
address: "172.16.16.17:778"
name: "Linux NFSv4.1 client01.domain.tld"
minor version: 1
Implementation domain: "kernel.org"
Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64"
Implementation time: [0, 0]

Server and Client

Retrieved from "https://lars.timmann.de/wiki/index.php?title=NFS&oldid=2535"