By default, some NFS services (server_side) use well-known ports but some normally just use random ports. The use of random ports does not work so well with strict firewall rules blocking random yet unknown ports. So, sometimes it is best to manually alter or specify static ports for NFS services (server_side) to use.
This post describes how to configure NFS services (server-side) to run on static ports as an alternative.
Overview
NFS services (server-side) include:
- NLM (NFS lock manager or in-kernel lockd)
- rpc.mountd
- rpc.nfsd
- rpc.rquotad
- rpc.statd
Please note lockd and rpc.statd also run on NFS clients. Also, rpc.rquotad is not strictly a part of the NFS family but is used to check quotas on file systems shared by the NFS server and mounted by one or more NFS clients.
With NFSv3, rpc.nfsd interacts with LOCKD/NLM, rpc.mountd, and rpc.statd. However, with NFSv4, all these interactions are now incorporated/consolidated.
For CentOS/RHEL 7, the nfs-utils RPM now ships /etc/modprobe.d/lockd.conf, /etc/sysconfig/nfs, and /etc/sysconfig/rpc-rquotad as the main NFS (server-side) configuration files. Additionally, there is also /etc/nfs.conf, which, in the near future, may deprecate other configuration files.
For CentOS/RHEL 7, the static ports for rpc.mountd, rpc.nfsd, and rpc.rquotad default to 20048, 2049, and 875, respectively, since they are considered well-known ports. Other NFS services (server_side), such as LOCKD/NLM and rpc.statd, normally just use random ports, but /etc/modprobe.d/lockd.conf and /etc/sysconfig/nfs do offer example port values for reference. The example port values are good enough for most scenarios.
# cat /etc/services mountd 20048/tcp # NFS mount protocol mountd 20048/udp # NFS mount protocol nfs 2049/tcp nfsd shilp # Network File System nfs 2049/udp nfsd shilp # Network File System rquotad 875/tcp # rquota daemon rquotad 875/udp # rquota daemon
# cat /etc/modprobe.d/lockd.conf # Set the TCP port that the NFS lock manager should use. # port must be a valid TCP port value (1-65535). #options lockd nlm_tcpport # # Set the UDP port that the NFS lock manager should use. # port must be a valid UDP port value (1-65535). #options lockd nlm_udpport
# cat /etc/sysconfig/nfs # Port rpc.mountd should listen on. #MOUNTD_PORT=892 # Port rpc.statd should listen on. #STATD_PORT=662 # Outgoing port statd should used. The default is port # is random #STATD_OUTGOING_PORT=2020
# cat /etc/sysconfig/rpc-rquotad # -I, --autofs Ignore autofs mount points # -p port, --port port Listen on alternative port # -s, --no-setquota Don't allow setting quotas with RPC (default) # -S, --setquota Allow setting quotas with RPC # -x path, --xtab path Use alternative NFSD export table RPCRQUOTADOPTS=""
Examples of configuring /etc/modprobe.d/lockd.conf
To specify LOCKD/NLM to use free static ports, you just uncomment nlm_tcpport and nlm_udpport to set the new port values, then reload the lockd kernel module or just reboot.
options lockd nlm_tcpport=32803 options lockd nlm_udpport=32769
Examples of configuring /etc/sysconfig/nfs
To specify rpc.mountd to use a free static port other than 20048, you just uncomment MOUNTD_PORT to set the new port value, then restart the nfs-mountd service or the nfs-server service.
MOUNTD_PORT=892
To specify rpc.nfsd to use a free static port other than 2049, you just uncomment RPCNFSDARGS to add the new port value, then restart the nfs-server service.
RPCNFSDARGS="-p 20499"
To specify rpc.statd to use free static ports, you just uncomment STATD_PORT and STATD_OUTGOING_PORT to set the new port values, then restart the rpc-statd service.
STATD_PORT=662 STATD_OUTGOING_PORT=2020
Examples of configuring /etc/sysconfig/rpc-rquotad
To specify rpc.rquotad to use a free static port other than 875, you just uncomment RPCRQUOTADOPTS to add the new port value, then restart the rpc-rquotad service.
RPCRQUOTADOPTS="-p 8755"
Service Control
Restart the nfs-mountd service:
# systemctl restart nfs-mountd.service
Restart the nfs-server service:
# systemctl restart nfs-server.service
Restart the rpc-rquotad service:
# systemctl restart rpc-rquotad.service
Restart the rpc-statd service:
# systemctl restart rpc-statd.service
Verification:
# rpcinfo -p