Network File System (NFS) Server HOWTO
Install the NFS kernel server package (or nfs-user-server if you prefer):
aptitude install nfs-kernel-server
In /etc/hosts.deny, deny access to all comers:
mountd: ALL statd: ALL portmap: ALL rquotad: ALL
Then in /etc/hosts.allow, let the good guys through (adjust for your network):
mountd: 192.168.1.1 192.168.1.2 statd: 192.168.1.1 192.168.1.2 portmap: 192.168.1.1 192.168.1.2 rquotad: 192.168.1.1 192.168.1.2 ypserv: 192.168.1.1 192.168.1.2
We need to configure static port numbers for the various services by editing their respective init-scripts in /etc/default:
/etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"
/etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 32767"
/etc/default/quota
RPCRQUOTADOPTS="-p 32769"
The nfs daemon (rpc.nfsd or just nfsd) will listen on port 2049 by default if no port is specified.
Update /etc/services:
# NFS ports as per the NFS-HOWTO # http://www.tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS # Listing here does not mean they will bind to these ports. rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 32767/tcp # RPC mountd rpc.mountd 32767/udp # RPC mountd rcp.lockd 32768/tcp # RPC lockd/nlockmgr rcp.lockd 32768/udp # RPC lockd/nlockmgr rpc.quotad 32769/tcp # RPC quotad rpc.quotad 32769/udp # RPC quotad
I created /etc/modprobe.d/options.local to provide the lockd module with options.
# /etc/modprobe.d/options.local options lockd nlm_udpport=32768 nlm_tcpport=32768
Firewalling the NFS Server
An example of allowing a firewall server make nfs mounts to an internal server.
This rule set for the shorewall firewall allows traffic for portmap (111), nfs (2049).
########################################################### # NFS SERVER # ########################################################### ACCEPT net:192.168.1.1 $FW udp 111 ACCEPT net:192.168.1.2 $FW tcp 111 ACCEPT net:192.168.1.1 $FW udp 2049 ACCEPT net:192.168.1.2 $FW tcp 2049 ACCEPT net:192.168.1.1 $FW udp 32765:32769 ACCEPT net:192.168.1.2 $FW tcp 32765:32769 ACCEPT net:192.168.1.1 $FW udp 111 ACCEPT net:192.168.1.2 $FW tcp 111 ACCEPT net:192.168.1.1 $FW udp 2049 ACCEPT net:192.168.1.2 $FW tcp 2049 ACCEPT net:192.168.1.1 $FW udp 32765:32769 ACCEPT net:192.168.1.2 $FW tcp 32765:32769
Set-up some exports in /etc/exports:
/home 192.168.1.1(rw,sync) 192.168.1.2(rw,sync)
Network File System (NFS) Client HOWTO
Install the nfs-client packages and portmap:
aptitude install nfs-common portmap
Configure portmap to use a specific port:
# /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"
In /etc/hosts.deny, deny access:
mountd: ALL statd: ALL portmap: ALL rquotad: ALL
Then in /etc/hosts.allow, let the good guys through (adjust for your network):
mountd: 192.168.1.1 192.168.1.2 statd: 192.168.1.1 192.168.1.2 portmap: 192.168.1.1 192.168.1.2 rquotad: 192.168.1.1 192.168.1.2 ypserv: 192.168.1.1 192.168.1.2
Configure the firewall on the client to allow incoming connections to portmap as shown below:
########################################################### # PORTMAP # ########################################################### ACCEPT net:192.168.1.1 $FW udp 111 ACCEPT net:192.168.1.2 $FW tcp 111 ACCEPT net:192.168.1.1 $FW udp 32765:32769 ACCEPT net:192.168.1.2 $FW tcp 32765:32769 ACCEPT net:192.168.1.1 $FW udp 111 ACCEPT net:192.168.1.2 $FW tcp 111 ACCEPT net:192.168.1.1 $FW udp 32765:32769 ACCEPT net:192.168.1.2 $FW tcp 32765:32769
Manually test mounting an nfs export:
mount 192.168.1.1:/home /home
To automatically mount on boot add the export to /etc/fstab:
192.168.1.1:/home /home nfs rw,rsize=8192,wsize=8192,hard,intr,udp,noatime 0 0
Subscribe to the RSS feed for Andy's Debian HOWTOs
Article from Andy's Debian HOWTOs (http://www.besy.co.uk/debian/debian)
Discussion