NFS and firewalls

NFS and firewalls

[Jeff Hanson]

The random port usage of NFS makes it difficult to use with NAT/firewalls.

The common workaround is to configure statd, mountd, lockd, and quotad
to static ports. Since there isn't any standard (IANA registered) port
assignments this breaks on many networks that use dynamic or different
static ports.

This makes it difficult to use the "standard" network file sharing
protocol with mobile devices which often use firewalls.

Saned, Samba (netbios), and FTP all have conntrack modules to handle
dynamic port usage.  Has there been any attempt to write one for NFS?

I filed a bug with Ubuntu about it (#688446), mostly for psychological
benefit as it's probably something they're not going to get involved
with.

Re: NFS and firewalls

[Trond Myklebust]

On Mon, 2010-12-27 at 18:32 -0500, Jeff Hanson wrote:
> The random port usage of NFS makes it difficult to use with NAT/firewalls.
> 
> The common workaround is to configure statd, mountd, lockd, and quotad
> to static ports. Since there isn't any standard (IANA registered) port
> assignments this breaks on many networks that use dynamic or different
> static ports.
> 
> This makes it difficult to use the "standard" network file sharing
> protocol with mobile devices which often use firewalls.
> 
> Saned, Samba (netbios), and FTP all have conntrack modules to handle
> dynamic port usage.  Has there been any attempt to write one for NFS?
> 
> I filed a bug with Ubuntu about it (#688446), mostly for psychological
> benefit as it's probably something they're not going to get involved
> with.

Neither am I.

NFSv4.1 fully solves this problem. All connections to the server are
initiated by the client, including for callback paths. The only port
that needs to be accessible on the server side is port 2049.

NFSv4 also solves the problem, with the one caveat that callbacks won't
work behind a NAT (which basically means you won't get delegations).

NFSv3 is the only protocol that actually has the problem you describe
above. We're working to deprecate it...

Cheers
  Trond

Re: NFS and firewalls

[Jeff Hanson]

On Mon, Dec 27, 2010 at 7:12 PM, Trond Myklebust
<trond.myklebust@fys.uio.no> wrote:
> NFSv4.1 fully solves this problem. All connections to the server are
> initiated by the client, including for callback paths. The only port
> that needs to be accessible on the server side is port 2049.
>
> NFSv4 also solves the problem, with the one caveat that callbacks won't
> work behind a NAT (which basically means you won't get delegations).
>

Thanks.  I made a note in the Ubuntu bug report.

Re: NFS and firewalls

[Jim Rees]

Jeff Hanson wrote:

  The random port usage of NFS makes it difficult to use with NAT/firewalls.

Assuming you mean v3, I've done this by setting nolock in the mount options
and bypassing the mount protocol by configuring the root file handle on the
client manually.

Others have noted that v4 solves this problem.  IPv6 eliminates the need for
NAT, if your client and server support it and your network will pass the
packets.