In this tutorial, we will focus on the fundamental networking concepts of NFS, specifically, the ports used by the NFS services. Once we understand the specific ports and services of the NFS share, we can use them to configure security measures such as firewalls and troubleshooting.
How NFS Works
There are three versions of NFS supported at the time of writing this article. NFS v2 is the oldest and the most widely supported.
NFS v3 is newer than NFS V2 and offers more features such as variable size handling, improved error reporting, etc. However, NFS v3 is not compatible with NFS v2 clients.
The most recent version of the NFS v4 provides new and improved features. They include stateful operations, backward compatibility with NFS v2 and NFS v3, removed portmapper requirement, Cross-platform interoperability, better namespace handling, Built-in security with ACLs, and Kerberos.
The following is a comparison of NFS v3 and NFS v 4.
| Feature | NFS v3 | NFS v4 |
| Transport Protocol | TCP and UDP | TCP with UDP Support on REHL Enterprise |
| Permission Handling | Unix | Unix based, SecureNFS, and ModeBit/Kerberos and ACL |
| Authentication Method | Auth_Sys – Weaker | Kerberos (Strong) |
| Personality | Stateless | Stateful |
| Semantics | Unix | Unix and Windows |
The table above shows some of the features of NFS protocol 4 vs. NFS protocol 3. If you wish to learn more, consider the official document provided below:
https://datatracker.ietf.org/doc/html/rfc3530
NFS v4 does not use a portmapper, and services required by NFS V2 and V3 are unrequired. Therefore, in NFS v4, only port 2049 is required.
NFS v2 and v2, however, require additional ports and services, which we are going to discuss in this tutorial.
Services Required (NFS v2 and V3)
As mentioned, NFS v2 & v3 use portmap service. The portmap service in Linux handles Remote Procedure Calls, which NFS (v2 and v3) uses to encode and decode requests between the client and the servers.
To implement NFS sharing, the following services are required. Keep in mind that this is only for NFS v2 and v3.
- Portmapper
- Mountd
- Nfsd
- Lockd
- Statd
#: Portmapper
Portmapper service is required to run NFS both on the client and the server-side. It runs on Port 111 for both TCP and UDP protocols.
If you are implementing a firewall, ensure sure this port is allowed for incoming and outgoing packets.
#: Mountd
The other service required to run NFS is the mountd daemon. This service runs on the NFS server and is used to handle mount requests from the NFS clients. It is mainly handled by the nfsd service and does not require user configuration.
However, you can edit the configuration to set a static port in the file /etc/sysconfig/nfs. Locate the / and set:
#: NFSD
This is the NFS daemon that runs on NFS servers. This is a critical service that works with the Linux kernel to provide functionality like server threads for all clients connected to the server.
By default, the NFS daemon is already configured to run a static port of 2049. The port is true on both TCP and UDP protocols.
#: Lockd & Statd
The NFS Lock Manager daemon (lockd) and Status Manager daemon (statd) are other services required r to run NFS. These daemons run on the server-side and the client-side.
The lockd daemon allows the NFS clients to lock files on the NFS server.
On the other hand, the statd daemon is responsible for notifying the users when the NFS server gets restarted without a graceful shutdown. It implements the Network Status Monitor RPC protocol.
Although both of these services are started automatically by the nfslock service, you can configure them to run a static port, which can be useful in firewall configurations.
Set a static port for statd and lockd daemons, edit the /etc/sysconfig/nfs, and enter the following entries.
LOCKD_TCPPORT=[port]
LOCKD_UDPPORT=[port]
Quick Recap
Let us take a look at a quick recap of what we just covered.
If you are running NFS v4, all you need is to allow port 2049. However, if you are running either NFS v2 or v3, you need to edit the /etc/sysconfig/nfs file and add the ports for the following services.
- Mountd – MOUNTD_PORT=port
- Statd – STATD_PORT=port
- LOCKD – LOCKD_TCPPORT=port, LOCKD_UDPPORT=port
Finally, you need to ensure that the NFSD daemon is running on port 2049 and the portmapper on port 111
NOTE: If the file /etc/sysconfig/nfs does not exist, create it and add the entries specified in the tutorial.
You can also check the /var/log/messages if the NFS service does not start correctly. Ensure that the ports you specified are not in use.
Example Config
The following is a configuration setting of the NFS server on a CentOS 8 server.
Once you have edited the configuration and added the necessary ports as discussed in the tutorial, restart the service as:
Next, confirm the service is running using the command:
Finally, confirm the ports running using rpcinfo as shown in the command below:
Conclusion
This tutorial discussed the networking basics of the NFS protocol and the ports and services required for both NFS v2, v3, and v4.
Thank you for reading & Be a proud Geek!
