How can I configure a system as an NFSv4 server which sits behind a firewall with NFS clients outside the firewall?
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- NFS version 4
Issue
- How can I configure a system as an NFSv4 server which sits behind a firewall with NFS clients outside the firewall?
- I cannot connect to my NFSv4 server which sits behind a firewall.
- How do I provide compatibility to allow older NFS version clients to connect?
Resolution
Mounting
To perform an NFSv4 mount, the requirements are:
- From low-numbered (less than 1024) TCP port on NFS client, to TCP 2049 on NFS server
- From TCP 2049 on NFS server, to low-numbered (less than 1024) TCP port on NFS client
An example set of iptables firewall rules (with connection tracking) for the NFS server would be:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 2049 -m comment --comment "nfsd" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
An example set of iptables firewall rules (without connection tracking) for the NFS server would be:
-A INPUT -p tcp -m tcp --dport 2049 -m comment --comment "nfsd" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --sport 2049 -m comment --comment "nfsd" -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
Firewalling and security requirements differ depending on environment. Your firewall rules may be slightly different to these. Please contact Red Hat Global Support Services if you require assistance configuring a supported firewall, or wish to enquire about NFS client/server behaviour when configuring a third-party firewall.
Client Callbacks
NFS v4 can sometimes improve performance using delegations. For delegations to work, the NFS Server needs to be able to make callbacks to the NFS Client.
First, set the NFS4 client callback port to a specific port. Second, set this port to be allowed through firewalls similar to the iptables example above. For example, assuming the NFS4 callback port is set to 60000, on RHEL7 firewalld use the following command:
# firewall-cmd --add-port=60000/tcp --zone=internal --permanent
Note If the NFS Server cannot make callbacks to the NFS Client, then delegations are simply not used and NFS operation continues transparently.
RPC queries
The concept of performing RPC queries such as showmount -e <nfs-server> against the NFS server is obsolete in NFSv4. A pure NFSv4 environment with NFSv2 and NFSv3 disabled does not use RPC in this way.
In NFSv4, the replacement of the above concept is to mount the nfsroot (mount -t nfs4 nfs-server:/ /mountpoint) and browse for the share via regular filesystem navigation.
However, it is still common for RPC queries to be used in an NFSv4 environment. In these cases, the specific NFSv3 listening daemons must be configured on static ports, and those ports must be allowed between client and server.
For example, if showmount -e <nfs-server> is to be run, this queries the mount daemon, so mountd must listen on a static port and firewall access granted between the NFS client and the NFS server's listening port.
Exact steps on configuring daemons in this manner are provided in the accompanying NFSv3 knowledgebase solution:
UDP
The TCP transport protocol is defined in the Content from tools.ietf.org is not included.RFC 3530 - NFSv4 Protocol specification.
NFSv4 over UDP is against that specification.
Whilst Red Hat Enterprise Linux kernels are able to mount NFSv4 over UDP, such a configuration is not supported by Red Hat.
Root Cause
NFSv4 simplifies firewalling requirements over what was required with NFSv3.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.