Configuring NFS under Linux for Firewall control

By: Chris Lowth <chris@lowth.com>
Date: April 25th 2003

Looking for Iptables configuration assistance?

If you have been directed to this page because you are searching for general assitance in configuring IPTABLES, Then Click here to try "LinWiz", an on-line IPtables configurator that does the hard work for you. Answer a few simple questions and LinWiz will generate your IPtables rules file for you to download.

Platforms

This document has been written with reference to RedHat 7.x and 8.x systems but is appropriate for other Linux distributions. The author warmly invites comments, corrections and (in particular) news of using this approach on other Linuxes.

Follow-up contributions.

I have received numerous mails since writing this article, some of which include more information which may be of general use. Thanks to the authors for permission to reproduce their comments here..

Introduction.

When setting up IPTABLES firewalling for Linux systems running the NFS service (network file system), you hit the problem that some of the TCP/IP and UDP ports used by components of the service are randomly generated as part of the “SunRPC” mechanism.

This document is part of the LinWiz tool kit, and describes how to set up NFS in such a way that meaningful firewall rules can be applied to the system.

The LinWiz toolkit.

LinWiz is a free-to-use on-line Linux IPTables configuration wizard, designed for novices and experts alike. LinWiz presents a simple, single-page questionaire for you to fill in, and then generates a personalised iptable configuration file for download onto the Linux server, firewall or router/gateway.

Click here to use this software on line.

Viewing the used ports.

On a system that is up and running with the NFS service active, the ports used by the components of the service can be listed using the command “rpcinfo -p”. The output will look something like this...

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32814  status
    100024    1   tcp  33024  status
    100011    1   udp    670  rquotad
    100011    2   udp    670  rquotad
    100011    1   tcp    673  rquotad
    100011    2   tcp    673  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32816  nlockmgr
    100021    3   udp  32816  nlockmgr
    100021    4   udp  32816  nlockmgr
    100005    1   udp  32818  mountd
    100005    1   tcp  33025  mountd
    100005    2   udp  32818  mountd
    100005    2   tcp  33025  mountd
    100005    3   udp  32818  mountd
    100005    3   tcp  33025  mountd

This listing shows the IP ports for the various versions of the service used in the 4th column. If you view this listing on different systems (or even after rebooting the same one) you may well find that the port numbers are different – this is a real problem when configing firewalls, which tend to assume that known port numbers are used for the services being configured.

Setting up NFS to use fixed IP ports.

To make it possible to configure a firewall that controls NFS, it is useful to be able to “tie” down the ports used by these services to fixed values. Luckily this is possible in RedHat Linux versions 7 and 8 (and, I suspect; other linux distributions), although the methods for setting these port numbers are different for each of the daemons.

The following table lists the NFS daemons and summarises the relevant information for them. The sections that follow give more detail.

Daemon Name

RPM

Standard Port

Suggested Port

What to Change

portmap

portmap

111

111

Nothing

rpc.statd

nfs-utils

Random

4000

Edit /etc/init.d/nfslock

rpc.nfsd

nfs-utils

2049

2049

Nothing

rpc.lockd

nfs-utils & kernel

Random

4001

Edit /etc/modules.conf

rpc.mountd

nfs-utils

Random

4002

Create or Edit /etc/sysconfig/nfs

rpc.rquotad

quota

Random

4003

Install "quota" package version 3.08 or later
and edit /etc/rpc and /etc/services

Portmapper [Standard port: 111]

The portmapper is implemented by the “portmap” program which is part of the “portmap” RPM package. The service uses port 111 on both the TCP and UDP protocols.

Portmapper provides the mapping between application names and IP ports, and is therefore analogous to the /etc/service file except that it relates to RPC programs only.

Firewall rules that refer to portmapper should refer to TCP/IP and UDP packets on port 111.

Status [Random port. Suggestion: 4000]

The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnamed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.

The rpc.statd program is part of the “nfs-utils” RPM package.

While rpc.statd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done as follows ..

Edit the file /etc/init.d/nfslock and change the “start()” procedure to add “-p” and a port number to the line “daemon rpc.statd”. The changed procedure looks like this (this change is coloured in red)..

start() {
        # Start daemons.
        if [ "$USERLAND_LOCKD" ]; then
          echo -n $"Starting NFS locking: "
          daemon rpc.lockd
          echo
        fi
        echo -n $"Starting NFS statd: "
        daemon rpc.statd -p 4000
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/nfslock
        return $RETVAL
}

Once the above change has been made, firewall rules should refer to TCP/IP and UDP packets on the chosen port. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

NFS Daemon [Standard port: 2049]

The rpc.nfsd program implements the user level part of the NFS service. The main functionality is handled by the nfsd.o kernel module; the user space program merely starts the specified number of kernel threads.

The rpc.nfsd program normally listens on port number 2049, so firewall rules can be created to refer to that port (unless it is changed from the default value). (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

NFS Lock Manager [Random port. Suggestion: 4001]

The NFS lock manager is a kernel module. It implements the NLM (NFS Lock Manager) part of the NFS subsystem, used for handling file and resource locks of various types. This component is sometimes referred to "rpc.lockd", and shows up in the output of rpcinfo as "nlockmgr"(hey - consistancy would only make life booring!).

On systems where the lock manager is implemented as a loadable module the port number used is set at module load time, and so is configured by adding (or editting) a line in the /etc/modules.conf file, as follows..

     options lockd nlm_udpport=4001 nlm_tcpport=4001

This sets the udp and tcp/ip port numbers. Conventionally, these two numbers should be set to the same value.

If your system has the lockd code compiled into the main kernel binary rather than as a loadable module, then the settings in modules.conf wont work. You need to add the parameters "lockd.udpport=4001 lockd.tcpport=4001" to the kernel command line in the lilo or grub configuration instead.

Note on the linux kernel versions before 2.4.12: - the handling of these parameters was introduced into linux kernel version 2.4.11. But since 2.4.11 is flagged as a "dont use" release, you should verify that your system has kernel 2.4.12 or later installed in order for this to work. Use the command "uname -a" to see the kernel version you are running.

To fix the port used by the NFS Lock Manager, add a line (as above) to /etc/modules.conf or lilo.conf (or grub.conf) as appropriate, and configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

mountd [Random port. Suggestion: 4002]


The rpc.mountd program implements the NFS mount protocol. When receiving a MOUNT request from an NFS client, it checks the request againstthe list of currently exported file systems. If the client is permitted to mount the file system, rpc.mountd obtains a file handle for requested directory and returns it to the client.

While rpc.mountd is normally allocated a random port number by the portmapper, it is possible to configure a fixed port number by supplying the “-p” command line option when the program is launched. This can be done by editting or creating the file /etc/sysconfig/nfs and adding the following line..

     MOUNTD_PORT=4002

Once this edit has been made, configure the firewall to manage the port number selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).

rquotad [Random port. Suggestion: 4003]


rquotad is an rpc(3N) server which returns quotas for a user of a local filesystem which is mounted by a remote machine over the NFS. It also allows setting of quotas on NFS mounted filesystem. The results are used by quota(1) to display user quotas for remote filesystems and by edquota(8) to set quotas on remote filesystems. The rquotad daemon is normally started at boot time from the system startup scripts.

There are two versions of rpc.rquotad that are commonly used with linux systems, one is part of the nfs utilities, and the other comes bundled with the "quota" package. RedHat 7.x and 8.x use the "quota" package - sadly, the version they use does not have any built-in mechanism for tying down the port. Happily - version 3.08 of the quota tools package DOES allow this.

The home page of the linuxquota project is at: http://sourceforge.net/projects/linuxquota. To obtain the software, vistit the site, download the sources and build them on your platform. If you have RedHat 8.0, then you can download the RPMs from my web site, and install.

To use this package to update the existing one..

  • First verify that your system is not already running "quota" version 3.08 or later (RedHat may have provided the up-to-date version since this document was written).

  • Download the quota rpm from my web site.

  • Install in "update" mode by using the command: rpm -Uhv quota-3.08-1.rpm

Once the updated "quota" package is installed, you can "fix" the port used by rpc.rquotad as follows..

  • Check that the following line is present in the file /etc/rpc. It should be there, but if isnt, then add it yourself. NB: the number "100011" is NOT the portnumber but the fixed RPC program number - It is important that you dont change it.

    • rquotad 100011 rquotaprog quota rquota

  • Add (or modify) the following two lines to the /etc/services file (replacing the number 4003 with the port number you want rpc.rquotad to listen on).

    • rquotad 4003/tcp

    • rquotad 4003/udp

Once thes changes have been made, configure the firewall to manage the port numbers selected. (You may find the 'LinWiz://ServerFirewall' wizard helpful when setting up a firewall for Linux).