NFS

From Lolly's Wiki
Revision as of 04:52, 26 November 2021 by Lollypop (talk | contribs) (Text replacement - "</source" to "</syntaxhighlight")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Some things to know about NFS...

NFSv3

Server

Bind rpc.mountd to specific port

The port of the rpc.mountd is usually random this is a nightmare for firewallers so picking a known port is much better.

  • /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333"

Bind statd to specific port

You just need it if you still need protocols below NFSv4.

  • /etc/default/nfs-common
STATDOPTS="--port 33334 --outgoing-port 33335"

Bind lockd to specific port

  • /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336

Activate it without rebooting through: 

# sysctl --load /etc/sysctl.d/nfs-static-ports.conf
fs.nfs.nlm_tcpport = 33336
fs.nfs.nlm_udpport = 33336

Configure ufw

Caution! The port you set above for the mountd has to be the same here! I used 33333, if you changed it above for some reason: Change it here, too!

  • /etc/ufw/applications.d/nfs
[NFS-Server]
title=NFS-Server
description=NFS Server
ports=111/tcp|111/udp|2049/tcp|33333:33336/tcp

# ufw allow from 172.16.16.16/28 to any app "NFS-Server"


NFSv4.1

Server

Configure rpc.idmapd

  • /etc/idmapd.conf

You should better set a Domain. Set the same Domain on server an client(s)! 

[General]
...

# set your own domain here, if it differs from FQDN minus hostname.
# you can use a fantasy name, but whatever it is, keep this identical on server and client!
Domain = myfantasy.domain

...

Disable at least NFSv2

  • /etc/default/nfs-kernel-server
STATDOPTS="--port 33334 --outgoing-port 33335 --no-nfs-version 2"
RPCNFSDOPTS="--no-nfs-version 2"

Disable all but NFSv4 and higher

  • /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="--manage-gids --port 33333 --no-nfs-version 2 --no-nfs-version 3"
NEED_STATD="no"
NEED_IDMAPD="yes"
RPCNFSDOPTS="--no-nfs-version 2 --no-nfs-version 3"

Configure ufw

For plain NFSv4 and up you just need this: 

# ufw allow from 172.16.16.16/28 to any port 2049/tcp

If you need still NFSv3 look above.

List clients that are connected

# cat /proc/fs/nfsd/clients/*/info 
clientid: 0x7829c17160bf7066
address: "172.16.16.17:778"
name: "Linux NFSv4.1 client01.domain.tld"
minor version: 1
Implementation domain: "kernel.org"
Implementation name: "Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64"
Implementation time: [0, 0]

Server and Client

Retrieved from "https://lars.timmann.de/wiki/index.php?title=NFS&oldid=2535"