NFS needs firewall/NAT support

Bug #688446 reported by jhansonxi on 2010-12-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Undecided
Unassigned

Bug Description

For firewalls and NAT, NFS is a major hassle. It uses several random ports by default. If they are set static then every other client and server has to use the same ones else they won't connect. For a laptop users who need to connect to a private LAN with NFS and then to other public WiFi hotspots or LANs of suspect security, they either have to disable NFS (not easy) or block all ports with a firewall which then gets in the way of private LAN usage.

There are two solutions. One is to set static ports by default and then create a firewall rule for them. The problem is that there are no standard ports except for portmap on 111 and nfsd on 2049. The commonly used unofficial ranges, 32765:32768 and 4000:4002, conflict with several other unofficial usages by other applications (like commercial games including Blizzard.net). I discovered this while working on a bunch of UFW application profiles (attached to bug# 659619). These ranges apparently come from:
http://tldp.org/HOWTO/NFS-HOWTO/security.html
http://www.lowth.com/LinWiz/nfs_help.html

A safer range I found is 4194-4198 (statd, statd_bc, mountd, lockd, and quota, respectively). To make these useful they would need to be standardized across distros and registered according to RFC4340 to discourage third-party conflicts:
http://tools.ietf.org/html/rfc4340#section-19.9

The better but more difficult solution is to develop a nf_conntrack module for NFS which already exist for Samba and saned. This would allow random ports to be used.

jhansonxi (jhansonxi) wrote :

According to upstream this problem should be eliminated with NFS v4.1
http://www.spinics.net/lists/linux-nfs/msg18342.html

jhansonxi (jhansonxi) wrote :

Fixed as of 4.1 as it only uses port 2049 now.

Changed in nfs-utils (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers