NFS needs firewall/NAT support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nfs-utils (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
For firewalls and NAT, NFS is a major hassle. It uses several random ports by default. If they are set static then every other client and server has to use the same ones else they won't connect. For a laptop users who need to connect to a private LAN with NFS and then to other public WiFi hotspots or LANs of suspect security, they either have to disable NFS (not easy) or block all ports with a firewall which then gets in the way of private LAN usage.
There are two solutions. One is to set static ports by default and then create a firewall rule for them. The problem is that there are no standard ports except for portmap on 111 and nfsd on 2049. The commonly used unofficial ranges, 32765:32768 and 4000:4002, conflict with several other unofficial usages by other applications (like commercial games including Blizzard.net). I discovered this while working on a bunch of UFW application profiles (attached to bug# 659619). These ranges apparently come from:
http://
http://
A safer range I found is 4194-4198 (statd, statd_bc, mountd, lockd, and quota, respectively). To make these useful they would need to be standardized across distros and registered according to RFC4340 to discourage third-party conflicts:
http://
The better but more difficult solution is to develop a nf_conntrack module for NFS which already exist for Samba and saned. This would allow random ports to be used.
According to upstream this problem should be eliminated with NFS v4.1 www.spinics. net/lists/ linux-nfs/ msg18342. html
http://