I recently decided that it’s about time to setup consistent, explicit and tight firewall policy across our Linux (mostly RHEL/CentOS) servers. One of the initial issues I faced was NFS. NFS implementations are very well known to make use of the portmapper and dynamically assigned port for rpc.mountd and because of this dynamic assignment, firewalling NFS can be challenging.
Luckily, RedHat’s /etc/sysconfig/nfs configuration file read by various “nfs”, “nfslock” and RPC services init scripts provides an easy means of locking down specific ports for all the NFS-related services so that one doesn’t have to work around the dynamic port assignment problem when it comes to firewalling.
In /etc/sysconfig/nfs there are six different options relating to port assignment:
- RQUOTAD_PORT
- LOCKD_TCPPORT
- LOCKD_UDPPORT
- MOUNTD_PORT
- STATD_PORT
- STATD_OUTGOING_PORT
These options do not represent all the ports that will be used by the entire NFS service but it includes the most important option for eliminating the uncertainty of rpc.mountd.
I’ve set the port options as follows:
- RQUOTAD_PORT=875
- LOCKD_TCPPORT=4045
- LOCKD_UDPPORT=4045
- MOUNTD_PORT=861
- STATD_PORT=865
- STATD_OUTGOING_PORT=866
After making the changes, restart the “nfs” and “nfslock” services and check to make sure the configured ports are now in fact in use with the “rpcinfo -p” command:
# rpcinfo -p program vers proto  port service 100000   4  tcp   111 portmapper 100000   3  tcp   111 portmapper 100000   2  tcp   111 portmapper 100000   4  udp   111 portmapper 100000   3  udp   111 portmapper 100000   2  udp   111 portmapper 100011   1  udp   875 rquotad 100011   2  udp   875 rquotad 100011   1  tcp   875 rquotad 100011   2  tcp   875 rquotad 100021   1  udp  4045 nlockmgr 100021   3  udp  4045 nlockmgr 100021   4  udp  4045 nlockmgr 100021   1  tcp  4045 nlockmgr 100021   3  tcp  4045 nlockmgr 100021   4  tcp  4045 nlockmgr 100003   2  tcp  2049 nfs 100003   3  tcp  2049 nfs 100003   4  tcp  2049 nfs 100003   2  udp  2049 nfs 100003   3  udp  2049 nfs 100003   4  udp  2049 nfs 100005   1  udp   861 mountd 100005   1  tcp   861 mountd 100005   2  udp   861 mountd 100005   2  tcp   861 mountd 100005   3  udp   861 mountd 100005   3  tcp   861 mountd 100024   1  udp   865 status 100024   1  tcp   865 status
Now, the entire NFS-related firewall rules must allow the following ports from the applicable client address range(s):
- Incoming and Outgoing ICMP type 3
- Incoming TCP and UDP ports 111, 861, 865, 875, 2049, 4045
- Outgoing TCP and UDP ports 111, 861, 865, 866, 875, 2049, 4045
These rules can easily be configured with your favorite firewalling software (I’m using fwbuilder to manage iptables rules). Often times firewalls will be configured to allow all outgoing connections, so if that’s the case with your firewalls, don’t worry about specific outgoing rules. I’ve been testing this configuration for two days now and all seems well.