This document is intended to give you detailed steps for making NFS bind to user-specified ports instead of random ports assigned by the portmapper. This makes it *much* easier to run a firewall on the NFS server, as you don't have to kludge something to find the NFS ports at each boot to open them with iptables. NOTE: This was written for Slackware Linux, but the general ideas should apply on pretty much any distribution. ************************************************************************ If you are on the -current development branch leading to Slackware 15.0 (or Slackware 15.0), ignore the rest of this document: all necessary changes can be made in /etc/default/rpc and /etc/default/nfs ************************************************************************ First, you'll want (it's not necessary, but handy to have for later) to make sure all of this is in /etc/services. I made sure "NFS" is in all of what I added or modified so that I can easily remove them (or just find them) if I need them later. Note that many of these are *local* additions - they are not official IANA assignments. sunrpc 111/tcp # SUN Remote Procedure Call sunrpc 111/udp # SUN Remote Procedure Call nfsd 2049/tcp # NFS server daemon nfsd 2049/udp # NFS server daemon rpc.nfs-cb 32764/tcp # RPC nfs callback rpc.nfs-cb 32764/udp # RPC nfs callback status 32765/udp # NFS status (listen) status 32765/tcp # NFS status (listen) status 32766/udp # NFS status (send) status 32766/tcp # NFS status (send) mountd 32767/udp # NFS mountd mountd 32767/tcp # NFS mountd lockd 32768/udp # NFS lock daemon/manager lockd 32768/tcp # NFS lock daemon/manager rquotad 32769/udp # NFS rquotad rquotad 32769/tcp # NFS rquotad ************************************************************************ Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly: For other linux distributions, find the script that starts these daemons and add the needed flags. # **** Make the quota daemon listen on port 32769 if [ -x /usr/sbin/rpc.rquotad ]; then echo " /usr/sbin/rpc.rquotad -p 32769" /usr/sbin/rpc.rquotad -p 32769 fi # **** Make the mount daemon listen on port 32767 if [ -x /usr/sbin/rpc.mountd ]; then echo " /usr/sbin/rpc.mountd -p 32767" /usr/sbin/rpc.mountd -p 32767 fi Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros, find the script that starts this daemon and add the needed flags). On older versions (less than 11.0) of Slackware, rpc.statd is started in rc.nfsd, so look there instead. # **** Have the portmap daemon chroot to /var/empty for increased security # **** Make the status daemon listen on port 32765 and talk on port 32766 if [ -x /sbin/rpc.portmap -a -x /sbin/rpc.statd ]; then if ! ps axc | grep -q rpc.portmap ; then echo "Starting RPC portmapper: /sbin/rpc.portmap -t /var/empty" /sbin/rpc.portmap -t /var/empty fi if ! ps axc | grep -q rpc.statd ; then echo "Starting RPC NSM (Network Status Monitor): /sbin/rpc.statd -p 32765 -o 32766" /sbin/rpc.statd -p 32765 -o 32766 fi # **** Note that you'll have to open port 32766 on the NFS clients Now make the lock daemon listen on port 32768 only and set the nfs callback port to 32764. Up to Slackware 11.0, this requires a kernel boot parameter (an append= line in lilo.conf) - a kernel stanza will look something like this: image = /boot/vmlinuz-ide-2.4.37.11 append = "lockd.udpport=32768 lockd.tcpport=32768" root = /dev/hda2 label = 2.4.37.11 read-only After 11.0, but before Slackware 13.1, this requires setting module load options in a file in the /etc/modprobe.d/ directory - I create an aptly named file of /etc/modprobe.d/nfs.conf file and add the following lines: options lockd nlm_udpport=32768 nlm_tcpport=32768 options nfs callback_tcpport=32764 # This is for NFSv4 In Slackware 13.1 and later, you will instead need to place the following in /etc/sysctl.conf: fs.nfs.nlm_udpport=32768 fs.nfs.nlm_tcpport=32768 fs.nfs.nfs_callback_tcpport=32764 In Slackware 14.2 and later, you can use a separate file in /etc/sysctl.d/, e.g. /etc/sysctl.d/10-nfs.conf instead of editing the main sysctl.conf file. Finally, you'll need to reboot the machine since the lockd module probably will refuse to unload. Once it's rebooted, you can test to make sure all of the changes "took" with "rpcinfo -p" or "pmap_dump" (rpcinfo is not present in Slackware 14.0 and 14.1, but is present in 14.2+) -- as an example, here's a snippet of what I see here: stora # rpcinfo -p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 32766 status 100024 1 tcp 32766 status 100227 3 tcp 2049 100227 3 udp 2049 100021 3 udp 32768 nlockmgr 100021 3 tcp 32768 nlockmgr 100005 3 udp 32767 mountd 100005 3 tcp 32767 mountd Copyright 2006-2016 Robby Workman, Tuscaloosa, Alabama, USA #include /* Standard MIT License */ You may mirror and/or otherwise use this file as you wish so long as you retain attribution to the author. If you have any questions, comments, or suggestions for improvement, you may contact me at rworkman AT slackware.com Note: Updated 20111126 for better consistency with the Debian NFS HOWTO (since the actual port assignments aren't important, we may as well recommend the same thing in both places); thanks to David Allen for the pointers and recommendation... Note: Updated 20120820 to note pmap_dump usage instead of rpcinfo in Slackware 14+; thanks to David Allen for the heads-up on that. Note: Updated 20160511 to note return of rpcinfo, sysctl.d, and various other tweaks available for Slackware 14.2 (not yet released at the time of this update) Note: Updated 20200502 to note -current (pre-15.0)