NFS required ports?

Trying to lock down my server from the internal network so I need to know what ports NFS requires to run.

I know at a minimum:
sunrpc (111)
nfsd (2049)

What about
mountd
lockd
statd

Do those need to be open to clients as well?
 
Through the magic of RPC those change every time : ) I tried pinning them down through rc.conf:
Code:
rpcbind_enable="YES"
nfs_server_enable="YES"
nfs_server_flags="-h 192.168.1.1"
mountd_flags="-r -h 192.168.1.1 -p 4046"
rpc_lockd_enable="YES"
rpc_lockd_flags="-h 192.168.1.1 -p 4045"
rpc_statd_enable="YES"
rpc_statd_flags="-h 192.168.1.1 -p 4047"

Now I'm having a new problem. Though lockd seems to be running, and rpcinfo shows it bound to a port, it is not showing up in sockstat. Every time I attempt to access a file from my NFS client, I get an error message that says the file is locked!

output from rpcinfo -p:
Code:
# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100000    4 local    111  rpcbind
    100000    3 local    111  rpcbind
    100000    2 local    111  rpcbind
    100005    1   udp   4046  mountd
    100005    3   udp   4046  mountd
    100005    1   tcp   4046  mountd
    100005    3   tcp   4046  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100024    1   udp   4047  status
    100024    1   tcp   4047  status
    100021    0   udp   4045  nlockmgr
    100021    0   tcp   4045  nlockmgr
    100021    1   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr

Code:
greg-kennedy# sockstat -4 -l -L
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      httpd      10086 16 tcp4   *:80                  *:*
www      httpd      10085 16 tcp4   *:80                  *:*
www      httpd      10084 16 tcp4   *:80                  *:*
www      httpd      10062 16 tcp4   *:80                  *:*
www      httpd      10031 16 tcp4   *:80                  *:*
www      httpd      10015 16 tcp4   *:80                  *:*
www      httpd      10014 16 tcp4   *:80                  *:*
www      httpd      10013 16 tcp4   *:80                  *:*
www      httpd      9992  16 tcp4   *:80                  *:*
www      httpd      9991  16 tcp4   *:80                  *:*
www      httpd      9990  16 tcp4   *:80                  *:*
www      httpd      9943  16 tcp4   *:80                  *:*
www      httpd      9294  16 tcp4   *:80                  *:*
www      httpd      8513  16 tcp4   *:80                  *:*
www      httpd      8512  16 tcp4   *:80                  *:*
www      httpd      8511  16 tcp4   *:80                  *:*
www      httpd      8510  16 tcp4   *:80                  *:*
www      httpd      8508  16 tcp4   *:80                  *:*
www      httpd      8507  16 tcp4   *:80                  *:*
www      httpd      8506  16 tcp4   *:80                  *:*
www      httpd      8505  16 tcp4   *:80                  *:*
www      httpd      8504  16 tcp4   *:80                  *:*
www      httpd      8503  16 tcp4   *:80                  *:*
root     miniupnpd  1803  4  tcp4   *:19168               *:*
root     miniupnpd  1803  6  udp4   *:1900                *:*
root     miniupnpd  1803  7  udp4   192.168.1.1:42535     *:*
root     miniupnpd  1803  8  udp4   192.168.1.1:5351      *:*
root     sshd       1297  4  tcp4   *:22                  *:*
root     httpd      1267  16 tcp4   *:80                  *:*
dhcpd    dhcpd      992   5  udp4   *:67                  *:*
root     ntpd       927   20 udp4   *:123                 *:*
root     ntpd       927   22 udp4   192.168.1.1:123       *:*
root     ntpd       927   23 udp4   24.144.41.118:123     *:*
svn      svnserve   856   3  tcp4   *:3690                *:*
root     rpc.statd  825   7  udp4   192.168.1.1:4047      *:*
root     rpc.statd  825   9  tcp4   192.168.1.1:4047      *:*
root     mountd     816   8  udp4   192.168.1.1:4046      *:*
root     mountd     816   10 tcp4   192.168.1.1:4046      *:*
root     rpcbind    702   9  udp4   *:111                 *:*
root     rpcbind    702   10 udp4   *:745                 *:*
root     rpcbind    702   11 tcp4   *:111                 *:*

And ps -awx | grep lockd:
Code:
# ps awx | grep lockd
  832  ??  Ss     0:00.05 /usr/sbin/rpc.lockd -h 192.168.1.1 -p 4045

Finally, a snip from pf.conf:
Code:
int_tcp_services="{ ssh, www, svn, sunrpc, nfsd, lockd, 4046, 4047 }"
int_udp_services="{ sunrpc, dhcps, nfsd, lockd, 4046, 4047, 1900 }"

...

pass in quick on $int_if inet proto tcp from any to ($int_if) \
    port $int_tcp_services

pass in quick on $int_if inet proto udp from any to ($int_if) \
    port $int_udp_services
 
check your /etc/rc.conf at client :
add
Code:
nfs_client_enable="YES"
be sure to configure the /etc/exports file with the most restrictive access possible at server
 
Back
Top