need way to specify the lockd port

Try adding this to /etc/modules.conf:

lockd.nlm_udpport=4001 lockd.nlm_tcpport=4001

...and make sure that you have the lockd compiled as a module. (Try "sudo modprobe lockd".)

That works for me. The page that suggests it is here:

http://da.gentoo-wiki.com/HOWTO_Share_Directories_via_NFS

Perhaps we should have one of these how-tos for Ubuntu.

Florin, did DaneM's suggestion work for you?

Timo,

I switched to compiling my own kernels so I did not try Dane's suggestion.

In my case (Dapper), adding to /etc/modules.conf (actually to /etc/modutils/local-lockd and running update-moduls to populate /etc/modules.conf) didn't help, as I've verified with "cat /sys/module/lockd/parameters/nlm_*port".

The proper place was /etc/modprobe.conf, or rather /etc/modprobe.d/options.
Content the same, works fine.

BTW, maybe this should be the default. Who needs a randomized port for a service, anyway?
This isn't certainly any security measure, considering availability of application mapping tools like amap.

According to initial googling, the most commonly used static port for nfs-lockd is 4045 (tcp/udp).

Couldn't find any commonly used static numbers for statd and mountd, but I usually put them at port numbers 1000 and 1001 correspondingly.

I have the same situation. Is there a way to solve this allredy?

Hugolp, add the following to /etc/modprobe.d/options and reboot:

options lockd nlm_udpport=4045 nlm_tcpport=4045

AleksanderAdamowski, that solution worked out. I have nfs through a firewall working now. Thanks.

This affects module-init-tools which contains the default /etc/modprobe.d/options.
It already contains a hack for quickcam module:

# Enable double-buffering so gstreamer et. al. work
options quickcam compatible=2

As another solution, one could place the options in a separate file (e.g. /etc/modprobe.d/nfs-defaults) that would ship with the nfs-common package.

Added the Baltix distribution by accident. Sorry for that.

This is still a very relevant problem. I'm working on Ubuntu Jaunty, and cannot get NFS to connect through an iptables firewall because the ports keep changing. The changing ports are: nlockmgr and mountd, I don't know if status has to do with this or not, but this is a problem. All the links I have found to bind nfslockmgr (or nfs in general) tell you to edit files that don't exist on Ubuntu. A search for nfs-utils in the repos, comes up vacant. Any advances made on this would be appreciated. If I can supply any information, please let me know.

Shane

Oh, one thing: modules.conf is the wrong file. I meant modprobe.conf.

ack...AleksanderAdamowski already posted on this. modprobe.conf *should* work, but /etc/modprobe.d/options is probably a better choice. Anyway, I agree that there should be something done about this as per Shane Rice's suggestion. Perhaps edit the config files by default when installing the nfs server package...?

@DaneM - Thanks for the info, I didn't realize the old info was still good to go by.

It would be good to have something up on the Ubuntu docs page, that is usually where I look for info. If someone could write up a short how to, that would be great, at least the info would be out there and available to everyone.

Shane

My first attempt gave me this:
sudo modprobe lockd
WARNING: /etc/modprobe.conf line 1: ignoring bad line starting with 'lockd.nlm_udpport=4001'
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

So instead of using modprobe.conf, I used /etc/modprob.d/lockd.conf

It still complains about this:
sudo modprobe lockd
WARNING: /etc/modprobe.d/lockd.conf line 2: ignoring bad line starting with 'lockd.nlm_udpport=4001'

I made my first line: #lockd options.

Not sure if this is relevant, but reporting any way.

Shane

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. We we are done with this I will have learned enough to write up a small how to. :)

Shane

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. When we are done with this I will have learned enough to write up a small how to. :)

Shane

I found this while searching the mountd man pages:

-P portnum or --port portnum
               Makes mountd listen on port portnum instead of some random port.
               By default, mountd will listen on the mount/udp port specified
               in /etc/services, or, if that is undefined, on some arbitrary
               port number below 1024.

(note the CAPITAL "P")

I looked in /etc/services (on jaunty) and saw this:

sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
...
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System

Do you think it would wok if you were to open those ports in the firewall (assuming you haven't already)? I think that once the connection is established, the random port number becomes an established/related connection. I could be wrong. It's been a long time since I've messed with all this.

ok got it. I put up a small how-to here:
http://ubuntuforums.org/showpost.php?p=7959294&postcount=17

Hope this helps.

Shane

Excellent post! Thanks for making the how-to, Shane. You may want to consider posting this to the Ubuntu wiki, with a title something like, "Making NFS work with Ubuntu-CE-Firewall". That would make it a little easier to find.

Is there a reason why NFS can't be set to use fixed ports by default? I don't see a security issue because rpcinfo gives you the ports anyway, so if you can connect to RPC you can find the ports; obviously you'd need to ensure that they didn't conflict with anything else, but hopefully that's easier than for thousands of users to have to figure out which files to change in order to get it to use fixed ports which can be firewalled reliably.

Hi,
while clearing (admittedly way too old) bugs I've found that for this bug
the reason here IMHO can be summarized as "because that is how upstream want's it" [1] but they are aware and so are the Ubuntu [2] (this still is what Shane & Dave started) and Debian [3] help pages about it.
Nowadays also the default config in /etc/default/nfs-kernel-server hints at the problem if you want/need to run with firewalls and hints at [3]:
```
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
```

I'm not a security person, so I can't assess if there really is a security (or other) benefit of having them random by default.
But OTOH I also doubt that no one has ever tried to discuss it with upstream since I find similar pages for almost any other major Distro [4][5] and manufacturers [6].

If anyone is really annoyed by this even today I guess the way to go is to discuss that default with upstream (or find old discussions and why they failed). If someone spends the work please add a link back here so no one needs to re-find them again.

[1]: https://tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
[2]: https://wiki.ubuntu.com/How%20to%20get%20NFS%20working%20with%20Ubuntu-CE-Firewall
[3]: https://wiki.debian.org/SecuringNFS
[4]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s2-nfs-nfs-firewall-config
[5]: https://www.suse.com/support/kb/doc/?id=000016649
[6]: https://www.ibm.com/docs/en/spectrum-scale/5.1.0?topic=firewall-recommendations-protocol-access