Notes on applying the suggestions from the [ Security section] of the [ NFS-HOWTO] to Debian 3.1 (Sarge).


Firewall Friendly

When you set up a tight firewally, you go with the "deny all, allow some" paradigm. The ["SunRPC"] system was designed around the "trust the remote system" and the "make it simple for the admin, use dynamic ports" paradigm. Fortunatly, the services you use with NFS have port options to work better with your firewall.

The following examples are modifications to a Debian 3.1 (Sarge) system with a 2.6 Linux kernel. In most cases they do not indicate the full contents of the files, just the parts that were modified.

It's easy to configure the port options for the statd, mountd and quotad RPC services, thanks to the use of /etc/default/* by the init-scripts

 # /etc/default/nfs-common
 STATDOPTS="--port 32765 --outgoing-port 32766"

 # /etc/default/nfs-kernel-server

 # /etc/default/quota

The nfs daemon (rpc.nfsd or just nfds) will listen on port 2049 by default if no port is specified.

The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.

 # /etc/services
 # NFS ports as per the NFS-HOWTO
 # Listing here does not mean they will bind to these ports. 
 rpc.nfsd        2049/tcp                        # RPC nfsd
 rpc.nfsd        2049/udp                        # RPC nfsd
 rpc.statd-bc    32765/tcp                       # RPC statd broadcast
 rpc.statd-bc    32765/udp                       # RPC statd broadcast
 rpc.statd       32766/tcp                       # RPC statd listen
 rpc.statd       32766/udp                       # RPC statd listen
 rpc.mountd      32767/tcp                       # RPC mountd
 rpc.mountd      32767/udp                       # RPC mountd
 rcp.lockd       32768/tcp                       # RPC lockd/nlockmgr
 rcp.lockd       32768/udp                       # RPC lockd/nlockmgr
 rpc.quotad      32769/tcp                       # RPC quotad
 rpc.quotad      32769/udp                       # RPC quotad

I created /etc/modprobe.d/options.local to provide the lockd module with options.

 # /etc/modprobe.d/options.local
 options lockd nlm_udpport=32768 nlm_tcpport=32768

Firewall Rules

Creating rules for your firewall for the above services should now be as simple as creating rules for more common services that bind to known ports, like http.


An example of allowing a firewall server make nfs mounts to an internal server. This rule set for the shoreline fireall allows traffic for portmap (111), nfs (2049)

 # Allow nfs mounts to local network
 ACCEPT          fw      loc             udp     111
 ACCEPT          fw      loc             tcp     111
 ACCEPT          fw      loc             udp     2049
 ACCEPT          fw      loc             udp     32765:32769


Port numbers are just suggestions.

The ports listed above are just suggestions from the NFS-HOWTO. Listing here does not indicate that they are part of the [ IANA registry], nor is it the only suggestion. Chris Lowth has a different list of ports but the concept is mostly the same. His suggestions are at I chose the NFS-HOWTO ports, just because it is a popular and highly visible document.

Who creates the port?

The man pages of individual RPC programs like rpc.statd and rpc.portd as well as online documentation like the NFS-HOWTO at claim that the portmapper assigns the random port used.

Other documents on the web including a [ Gentoo NFS with firewalling forum topic] and [ IANA's notes on Sun RPC numbers] state that portmap does not allocate ports. The services request the next available port from the kernel and then register their port with portmap.

It looks like some quick code checking and possible documentation patches are in order.