Firewall An NFS server normally uses TCP port 111 for portmap and TCP port 2049 for nfsd. In addition, unless you instruct it otherwise, the NFS server uses portmap to assign (almost) random ports for the services it provides: rpc.statd, rpc.mountd, and (optionally) rpc.quotad. It is difficult to set up a firewall to protect a server from queries from random ports; it is much easier to specify which port each of these services uses. To specify the ports that NFS services use, modify the lines in the following files as shown:
$ grep STATD /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"
$ grep MOUNTD /etc/default/nfs-kernel-server
$ grep QUOTAD /etc/default/quota
If you are not running rpc.quotad, you do not need to create or modify the quota file. The ports used in the example are the ones suggested in the Linux NFS-HOWTO, but you can use any unused ports you like. See wiki.debian.org/?SecuringNFS for more information.
If the NFS server system is running a firewall, you need to open ports 111 and 2049. To do so, use firestarter (page 886) to set a policy that allows NFS service. In addition, open the ports you specified in the files in /etc/default, as explained earlier. Because firestarter has no defined policy for these ports, you need to specify the ports manually when you add a rule in firestarter.
Security The rpc.mountd daemon uses TCP wrappers to control client access to the server. As explained on page 532, you can set up /etc/hosts.allow and /etc/hosts.deny files to specify which clients can contact rpc.mountd on the server and thereby use NFS. The name of the daemon to use in these files is mountd.
Was this article helpful?