| tags:admin linux nfs security sysadmin ubuntu categories:Tech

Specify NFS Server Ports in Ubuntu Linux

By default, several of NFS’s supporting services choose random ports to run on at start-time. This can be problematic if your goal is to restrict access to NFS via a firewall. Here’s a quick overview of the changes I made in Ubuntu 10.04 to bind all NFS-related services to static ports.

Configure statd to listen on port 4000:

[root@server1 ~]# cat /etc/default/nfs-common 
NEED_STATD=
STATDOPTS="--port 4000"
NEED_IDMAPD=
NEED_GSSD=
[root@server1 ~]#

Set lockd to listen on port 4001. You can create the options.conf file if it doesn’t exist.

[root@server1 ~]# cat /etc/modprobe.d/options.conf 
options lockd nlm_udpport=4001 nlm_tcpport=4001
[root@server1 ~]#

Add lockd to /etc/modules, to be loaded at boot:

[root@server1 ~]# cat /etc/modules
loop
lp
rtc
lockd
[root@server1 ~]#

Configure mountd to listen on 4002:

[root@server1 ~]# cat /etc/default/nfs-kernel-server 
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids -p 4002"
NEED_SVCGSSD=
RPCSVCGSSDOPTS=
[root@server1 ~]#

Once you’ve done the above, reboot your machine. When it comes back up, your rpcinfo output should look nice and clean like this:

[root@server1 ~]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp   4000  status
    100024    1   tcp   4000  status
    100021    1   udp   4001  nlockmgr
    100021    3   udp   4001  nlockmgr
    100021    4   udp   4001  nlockmgr
    100021    1   tcp   4001  nlockmgr
    100021    3   tcp   4001  nlockmgr
    100021    4   tcp   4001  nlockmgr
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp   4002  mountd
    100005    1   tcp   4002  mountd
    100005    2   udp   4002  mountd
    100005    2   tcp   4002  mountd
    100005    3   udp   4002  mountd
    100005    3   tcp   4002  mountd
[root@server1 ~]#

You can now proceed with permitting access to these ports through your firewall as needed.