Ubuntu

need way to specify the lockd port

Reported by Florin Iucha on 2006-01-16
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
module-init-tools
Invalid
Undecided
Unassigned
module-init-tools (Baltix)
Undecided
Unassigned
module-init-tools (Ubuntu)
Undecided
Unassigned
nfs-utils (Ubuntu)
Wishlist
Unassigned

Bug Description

I am using nfs v3 through a firewall and I am specifying the statd port in /etc/defaults/nfs-common and the mountd port in /etc/defaults/nfs-kernel-server but there no way to specify the lockd port.

I have added
   fs.nfs.nlm_tcpport=4001
   fs.nfs.nlm_udpport=4001
to /etc/sysctl.conf but during bootup I get an error that the directory entries are not available (because nfs is a module) yet.

I am also doing an
   echo 4001 > /proc/sys/fs/nfs/nlm_tcpport
   echo 4001 > /proc/sys/fs/nfs/nlm_udpport
at the beginning of /etc/init.d/nfs-common but it fails for a similar reason to set it when it is run for the first time.

In order to get it working I have to restart the services after the machine is booted up.

DaneM (dmutters) wrote :

Try adding this to /etc/modules.conf:

lockd.nlm_udpport=4001 lockd.nlm_tcpport=4001

...and make sure that you have the lockd compiled as a module. (Try "sudo modprobe lockd".)

That works for me. The page that suggests it is here:

http://da.gentoo-wiki.com/HOWTO_Share_Directories_via_NFS

Perhaps we should have one of these how-tos for Ubuntu.

Timo Aaltonen (tjaalton) wrote :

Florin, did DaneM's suggestion work for you?

Florin Iucha (florin-iucha) wrote :

Timo,

I switched to compiling my own kernels so I did not try Dane's suggestion.

In my case (Dapper), adding to /etc/modules.conf (actually to /etc/modutils/local-lockd and running update-moduls to populate /etc/modules.conf) didn't help, as I've verified with "cat /sys/module/lockd/parameters/nlm_*port".

The proper place was /etc/modprobe.conf, or rather /etc/modprobe.d/options.
Content the same, works fine.

BTW, maybe this should be the default. Who needs a randomized port for a service, anyway?
This isn't certainly any security measure, considering availability of application mapping tools like amap.

According to initial googling, the most commonly used static port for nfs-lockd is 4045 (tcp/udp).

Couldn't find any commonly used static numbers for statd and mountd, but I usually put them at port numbers 1000 and 1001 correspondingly.

hugolp (hugolp2) wrote :

I have the same situation. Is there a way to solve this allredy?

Hugolp, add the following to /etc/modprobe.d/options and reboot:

options lockd nlm_udpport=4045 nlm_tcpport=4045

hugolp (hugolp2) wrote :

AleksanderAdamowski, that solution worked out. I have nfs through a firewall working now. Thanks.

This affects module-init-tools which contains the default /etc/modprobe.d/options.
It already contains a hack for quickcam module:

# Enable double-buffering so gstreamer et. al. work
options quickcam compatible=2

As another solution, one could place the options in a separate file (e.g. /etc/modprobe.d/nfs-defaults) that would ship with the nfs-common package.

Added the Baltix distribution by accident. Sorry for that.

Timo Aaltonen (tjaalton) on 2008-02-28
Changed in module-init-tools:
status: New → Invalid
status: New → Invalid
Timo Aaltonen (tjaalton) on 2008-02-28
Changed in module-init-tools:
status: New → Invalid
Charles Hooper (chooper) on 2009-08-15
Changed in nfs-utils (Ubuntu):
status: New → Confirmed
Shane Rice (shane2peru) wrote :

This is still a very relevant problem. I'm working on Ubuntu Jaunty, and cannot get NFS to connect through an iptables firewall because the ports keep changing. The changing ports are: nlockmgr and mountd, I don't know if status has to do with this or not, but this is a problem. All the links I have found to bind nfslockmgr (or nfs in general) tell you to edit files that don't exist on Ubuntu. A search for nfs-utils in the repos, comes up vacant. Any advances made on this would be appreciated. If I can supply any information, please let me know.

Shane

Oh, one thing: modules.conf is the wrong file. I meant modprobe.conf.

DaneM (dmutters) wrote :

ack...AleksanderAdamowski already posted on this. modprobe.conf *should* work, but /etc/modprobe.d/options is probably a better choice. Anyway, I agree that there should be something done about this as per Shane Rice's suggestion. Perhaps edit the config files by default when installing the nfs server package...?

Shane Rice (shane2peru) wrote :

@DaneM - Thanks for the info, I didn't realize the old info was still good to go by.

It would be good to have something up on the Ubuntu docs page, that is usually where I look for info. If someone could write up a short how to, that would be great, at least the info would be out there and available to everyone.

Shane

Shane Rice (shane2peru) wrote :

My first attempt gave me this:
sudo modprobe lockd
WARNING: /etc/modprobe.conf line 1: ignoring bad line starting with 'lockd.nlm_udpport=4001'
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

So instead of using modprobe.conf, I used /etc/modprob.d/lockd.conf

It still complains about this:
sudo modprobe lockd
WARNING: /etc/modprobe.d/lockd.conf line 2: ignoring bad line starting with 'lockd.nlm_udpport=4001'

I made my first line: #lockd options.

Not sure if this is relevant, but reporting any way.

Shane

Shane Rice (shane2peru) wrote :

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. We we are done with this I will have learned enough to write up a small how to. :)

Shane

Shane Rice (shane2peru) wrote :

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. When we are done with this I will have learned enough to write up a small how to. :)

Shane

DaneM (dmutters) wrote :

I found this while searching the mountd man pages:

-P portnum or --port portnum
               Makes mountd listen on port portnum instead of some random port.
               By default, mountd will listen on the mount/udp port specified
               in /etc/services, or, if that is undefined, on some arbitrary
               port number below 1024.

(note the CAPITAL "P")

I looked in /etc/services (on jaunty) and saw this:

sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
...
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System

Do you think it would wok if you were to open those ports in the firewall (assuming you haven't already)? I think that once the connection is established, the random port number becomes an established/related connection. I could be wrong. It's been a long time since I've messed with all this.

Shane Rice (shane2peru) wrote :

ok got it. I put up a small how-to here:
http://ubuntuforums.org/showpost.php?p=7959294&postcount=17

Hope this helps.

Shane

DaneM (dmutters) wrote :

Excellent post! Thanks for making the how-to, Shane. You may want to consider posting this to the Ubuntu wiki, with a title something like, "Making NFS work with Ubuntu-CE-Firewall". That would make it a little easier to find.

MarkG (movieman523) wrote :

Is there a reason why NFS can't be set to use fixed ports by default? I don't see a security issue because rpcinfo gives you the ports anyway, so if you can connect to RPC you can find the ports; obviously you'd need to ensure that they didn't conflict with anything else, but hopefully that's easier than for thousands of users to have to figure out which files to change in order to get it to use fixed ports which can be firewalled reliably.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers