When you set up a tight firewally, you go with the "deny all, allow some" paradigm. The ["SunRPC"] system was designed around the "trust the remote system" and the "make it simple for the admin, use dynamic ports" paradigm. Fortunatly, the services you use with NFS have port options to work better with your firewall.
The following examples are modifications to a Debian 3.1 (Sarge) system with a 2.6 Linux kernel. In most cases they do not indicate the full contents of the files, just the parts that were modified.
It's easy to configure the port options for the statd, mountd and quotad RPC services, thanks to the use of /etc/default/* by the init-scripts
# /etc/default/nfs-common STATDOPTS="--port 32765 --outgoing-port 32766"
# /etc/default/nfs-kernel-server RPCMOUNTDOPTS="-p 32767"
# /etc/default/quota RPCRQUOTADOPTS="-p 32769"
The nfs daemon (rpc.nfsd or just nfds) will listen on port 2049 by default if no port is specified.
The change to /etc/services isn't necessary at all. It just helps produces a nice (sensible) output from netstat -tl on the NFS server.
# /etc/services # NFS ports as per the NFS-HOWTO # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS # Listing here does not mean they will bind to these ports. rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 32767/tcp # RPC mountd rpc.mountd 32767/udp # RPC mountd rcp.lockd 32768/tcp # RPC lockd/nlockmgr rcp.lockd 32768/udp # RPC lockd/nlockmgr rpc.quotad 32769/tcp # RPC quotad rpc.quotad 32769/udp # RPC quotad
I created /etc/modprobe.d/options.local to provide the lockd module with options.
# /etc/modprobe.d/options.local options lockd nlm_udpport=32768 nlm_tcpport=32768
Creating rules for your firewall for the above services should now be as simple as creating rules for more common services that bind to known ports, like http.
An example of allowing a firewall server make nfs mounts to an internal server. This rule set for the shoreline fireall allows traffic for portmap (111), nfs (2049)
# Allow nfs mounts to local network ACCEPT fw loc udp 111 ACCEPT fw loc tcp 111 ACCEPT fw loc udp 2049 ACCEPT fw loc udp 32765:32769
Port numbers are just suggestions.
The ports listed above are just suggestions from the NFS-HOWTO. Listing here does not indicate that they are part of the [http://www.iana.org/ IANA registry], nor is it the only suggestion. Chris Lowth has a different list of ports but the concept is mostly the same. His suggestions are at http://cryptosystem.us/files/nfs_help.html. I chose the NFS-HOWTO ports, just because it is a popular and highly visible document.
Who creates the port?
The man pages of individual RPC programs like rpc.statd and rpc.portd as well as online documentation like the NFS-HOWTO at tldp.org claim that the portmapper assigns the random port used.
Other documents on the web including a [http://forums.gentoo.org/viewtopic.php?t=77748 Gentoo NFS with firewalling forum topic] and [http://www.iana.org/assignments/sun-rpc-numbers IANA's notes on Sun RPC numbers] state that portmap does not allocate ports. The services request the next available port from the kernel and then register their port with portmap.
It looks like some quick code checking and possible documentation patches are in order.