Overview:
Two machines running ubuntu and you want to export a certain directory from one of them (server) and automatically mount it in the second machine (client). And you want to keep the server protected by a firewall (UFW).
Part 1 - Instalation
To start with you will need to install on the server the firewall and nfs packages. There are many tutorials on the internet, but basically you just need to:
user@casa$ sudo apt-get install ufw nfs-kernel-server
sudo /etc/init.d/nfs-kernel-server restart
The NFS needs various daemons running at the same time to work: portmapper, nfs, nlockmgr and mountd. You can see which are already running on your server machine by:
user@casa$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 34528 status
100024 1 tcp 54929 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 46658 nlockmgr
100021 3 udp 46658 nlockmgr
100021 4 udp 46658 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 58052 nlockmgr
100021 3 tcp 58052 nlockmgr
100021 4 tcp 58052 nlockmgr
In the above example, we don't have 4 daemons because mound is missing! Looking at the logs (/var/log/*/) and searching for error messages I found this:
user@casa$ sudo cat /var/log/daemon.log | grep mount
Feb 3 11:23:54 casa mountd[12061]: Could not bind name to socket: Address already in use
This means the port that would be used by mountd was already in use when the system tried to start the daemon. As we will talk about port configuration in the next section, see the solution there.
Part 2 - Fixed ports to NFS
To allow remote connection to exported directories using NFS we will need to free the ports for each of the 4 daemons in the UFW firewall: portmapper, nfs, nlockmgr and mountd. Therefore, they must be using fixed port numbers, and not random (as nlockmgr in the above example). As the nfs and portmapper already use by default ports 2049 and 111, it suffices to fix mountd and nlockmgr.
mountd
To change the port used by mountd do this:
user@casa$ sudo pico /etc/default/nfs-kernel-server
And change the variable RPCMOUNTDOPTS:
# Options for rpc.mountd.
# see rpc.mountd(8) or http://wiki.debian.org/?SecuringNFS
RPCMOUNTDOPTS="-p 111"
Note that it was using 111, the same as portmapper and that was the conflict! Change it to 4002 and restart nfs
user@casa$ sudo /etc/init.d/nfs-kernel-server restart
nlockmgr
To change nlockmgr modify the file /etc/modprobe.d/options and include the following:
options lockd nlm_udpport=4001 nlm_tcpport=4001
In this case, it is not enough to restart nfs, you will have to reboot the system.
UFW
Now we are only missing the configuration for UFW, where we need to set the correct ports for NFS:
user@casa$ sudo ufw enable
user@casa$ sudo ufw allow from IP_of_client to any port 111
user@casa$ sudo ufw allow from IP_of_client to any port 2049
user@casa$ sudo ufw allow from IP_of_client to any port 4001
user@casa$ sudo ufw allow from IP_of_client to any port 4002
If you will turn firewall ON, you should at least allow SSH connections as well:
user@casa$ sudo ufw allow tcp/22
user@casa$ sudo ufw allow udp/22
You can see everything is all right by:
user@casa$ sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
2049:tcp ALLOW IP_da_maquina_cliente
2049:udp ALLOW IP_da_maquina_cliente
111:tcp ALLOW IP_da_maquina_cliente
111:udp ALLOW IP_da_maquina_cliente
4002:tcp ALLOW IP_da_maquina_cliente
4002:udp ALLOW IP_da_maquina_cliente
4001:tcp ALLOW IP_da_maquina_cliente
4001:udp ALLOW IP_da_maquina_cliente
user@casa$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 49282 status
100024 1 tcp 38213 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 4001 nlockmgr
100021 3 udp 4001 nlockmgr
100021 4 udp 4001 nlockmgr
100021 1 tcp 4001 nlockmgr
100021 3 tcp 4001 nlockmgr
100021 4 tcp 4001 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100005 1 udp 4002 mountd
100005 1 tcp 4002 mountd
100005 2 udp 4002 mountd
100005 2 tcp 4002 mountd
100005 3 udp 4002 mountd
100005 3 tcp 4002 mountd