I am a happy shoreline firewall user—port number-based rules, defined by editing a simple text file (/etc/shorewall/rules) in archlinux, kicked off by a daemon process. All of this makes for a low-entropy approach to software firewall.
HOWEVER! NFS requires five daemons to run; they modprobe (at least) five userland modules: (nfs, nfsd, lockd, sunrpc, exportfs). The daemons and default service port numbers are:
portmapper 111 nfs 2049 nlockmgr (lockd) dynamic status (statd) dynamic mountd dynamic
<rant>I do not understand why nfs has dynamic port allocations by default. What if SSH started up on random ports? Would that make a lick of sense? (It would make about as much sense as using sshfs to stream music on a LAN; something, incidentally, that I once did, before I asked myself whether Carly Simon’s music really needed to be encrypted.)</rant>
So, I’m a (grudging) NFS user—and turns out it is possible to make NFS use static ports. Yaay! As noted, I’m a big fan of reducing entropy in my Linux systems. So it was with a cringe that I read this forums.archlinux post, stating that the lockd module needs module flags, and that a good place for those might be in the grub.conf file. Puke. Come on archlinux!
So I went back to the Ubuntu post, where the author (inexplicably, and in lieu of [code] tags) advises readers to make the following edit:
start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/rpc.mountd -- -P 4002
In other words, add [dash dash space dash Capital “P” space 4002] to the one in the “start)” section
IN OTHER WORDS, it’s amazing that the average Ubuntu user can remember to breathe. OK, OK, I kid ;o)
Here’s the equivalent archlinux recipe. Unsurprisingly, it’s exceeding easy to figure this out (no five hours for this distro). More like 15 minutes:
/etc/conf.d/nfs-common.conf:
NEED_STATD= STATD_OPTS="-p 14619 -o 14620" SMNOTIFY_OPTS="" NEED_IDMAPD= IDMAPD_OPTS= NEED_GSSD= GSSD_OPTS= PIPEFS_MOUNTPOINT=
/etc/conf.d/nfs-server.conf:
PIPEFS_MOUNTOPTS= NFSD_OPTS= NFSD_COUNT= PROCNFSD_MOUNTPOINT= PROCNFSD_MOUNTOPTS= MOUNTD_OPTS="--no-nfs-version 1 --no-nfs-version 2 --port 14621" NEED_SVCGSSD= SVCGSSD_OPTS=
/etc/modules.d/lockd:
options lockd nlm_tcpport=12133 nlm_udpport=12133
rmmod lockd and modprobe it back; bounce /etc/rc.d/nfs-server, and add the following shorewall rules (bouncing shorewall after):
ACCEPT net:192.168.1.0/24 $FW tcp 111,2049,14619,14620,14621,12133 ACCEPT net:192.168.1.0/24 $FW udp 111,2049,14619,14620,14621,12133
This opens up the server to the ports needed on the LAN.
Final step is to configure the client, so it knows which ports to connect to:
/etc/conf.d/nfs-common.conf:
NEED_STATD= STATD_OPTS="-p 14620 -o 14619" SMNOTIFY_OPTS="" NEED_IDMAPD= IDMAPD_OPTS= NEED_GSSD= GSSD_OPTS= PIPEFS_MOUNTPOINT=
/etc/conf.d/nfs-server.conf:
PIPEFS_MOUNTOPTS= NFSD_OPTS= NFSD_COUNT= PROCNFSD_MOUNTPOINT= PROCNFSD_MOUNTOPTS= MOUNTD_OPTS="--no-nfs-version 1 --no-nfs-version 2" NEED_SVCGSSD= SVCGSSD_OPTS=
Note that the STATD_OPTS line is reversed as between the server and client.
rpcinfo -p localhost should show the following:
program vers proto port service
100000 2 tcp 111 portmapper
100024 1 udp 14619 status
100024 1 tcp 14619 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 12133 nlockmgr
100021 3 udp 12133 nlockmgr
100021 4 udp 12133 nlockmgr
100021 1 tcp 12133 nlockmgr
100021 3 tcp 12133 nlockmgr
100021 4 tcp 12133 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 3 udp 14621 mountd
100005 3 tcp 14621 mountd
Fin!