Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

tcp port ranges for nfs in solaris 10

3,807 views
Skip to first unread message

mik...@gmail.com

unread,
Mar 16, 2010, 9:39:41 PM3/16/10
to
Hi All,

I need to define what ports are allowed thru a firewall for NFSv3 (v4
not an option for us at the moment) on a S10u8 machine are.

It seems the NFS server needs:

tcp 111 (port mapper)
tcp 2049 (mountd)
tcp 32771 status (rquotad)

Anything else I might be missing?

-Michael

--
Planetra Hosting
mikegws at gmail dott comm

Message has been deleted

Casper H.S. Dik

unread,
Mar 17, 2010, 6:03:34 AM3/17/10
to
"mik...@gmail.com" <mik...@gmail.com> writes:

>Hi All,

>I need to define what ports are allowed thru a firewall for NFSv3 (v4
>not an option for us at the moment) on a S10u8 machine are.

>It seems the NFS server needs:

>tcp 111 (port mapper)
>tcp 2049 (mountd)
>tcp 32771 status (rquotad)

You will need them both for udp and tcp:

111 (rpcbind/portmap)
2049 NFS protocol (not mountd!)
4045 lockmgr

Mountd/rquotad/status use random ports.

What are the clients?

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

mik...@gmail.com

unread,
Mar 17, 2010, 9:19:13 AM3/17/10
to
On Mar 17, 6:03 am, Casper H.S. Dik <Casper....@Sun.COM> wrote:

> "mike...@gmail.com" <mike...@gmail.com> writes:
> >Hi All,
> >I need to define what ports are allowed thru a firewall for NFSv3 (v4
> >not an option for us at the moment) on a S10u8 machine are.
> >It seems the NFS server needs:
> >tcp 111  (port mapper)
> >tcp 2049 (mountd)
> >tcp  32771  status (rquotad)
>
> You will need them both for udp and tcp:
>
> 111 (rpcbind/portmap)
> 2049 NFS protocol (not mountd!)
> 4045 lockmgr
>
> Mountd/rquotad/status use random ports.
>
> What are the clients?

UDP too? We're Solaris 10 all around - isn't that by default TCP NFS?

The clients are all Solaris 10. Eventually we will go to NFSv4 - but
until that project fires up we need to get the firewall rules
straight.

Do we define a range for mount/rquotad/status ?

@Michael - yes, I did google it and the results from Sun (the various
docs I found just said port 2049 or to use WebNFS) or questions posted
to various lists didn't really help much.


Casper H.S. Dik

unread,
Mar 17, 2010, 10:33:13 AM3/17/10
to
"mik...@gmail.com" <mik...@gmail.com> writes:

>> You will need them both for udp and tcp:
>>
>> 111 (rpcbind/portmap)
>> 2049 NFS protocol (not mountd!)
>> 4045 lockmgr
>>
>> Mountd/rquotad/status use random ports.
>>
>> What are the clients?

>UDP too? We're Solaris 10 all around - isn't that by default TCP NFS?

To be honest, I'm not sure that the clients will always use TCP
for all of the protocols.

>The clients are all Solaris 10. Eventually we will go to NFSv4 - but
>until that project fires up we need to get the firewall rules
>straight.

>Do we define a range for mount/rquotad/status ?

Unfortunately, that range would be 2^15 - 2^16-1.

Doug McIntyre

unread,
Mar 17, 2010, 10:54:39 AM3/17/10
to
Casper H.S. Dik <Caspe...@Sun.COM> writes:
>"mik...@gmail.com" <mik...@gmail.com> writes:
>>> You will need them both for udp and tcp:
>>>
>>> 111 (rpcbind/portmap)
>>> 2049 NFS protocol (not mountd!)
>>> 4045 lockmgr
>>>
>>> Mountd/rquotad/status use random ports.
>>>
>>> What are the clients?

>>UDP too? We're Solaris 10 all around - isn't that by default TCP NFS?

>To be honest, I'm not sure that the clients will always use TCP
>for all of the protocols.

>>The clients are all Solaris 10. Eventually we will go to NFSv4 - but
>>until that project fires up we need to get the firewall rules
>>straight.

>>Do we define a range for mount/rquotad/status ?

>Unfortunately, that range would be 2^15 - 2^16-1.


What the OP really needs is a firewall that is smart enough about
watching the protocol itself to let through the RPC/NFS protocol, and
opening the ports as required. There's several out there that can do this.
(ie. Fortigate, Juniper, etc).

John D Groenveld

unread,
Mar 17, 2010, 12:02:45 PM3/17/10
to
In article <4ba0ed2f$0$50146$8046...@newsreader.iphouse.net>,

Doug McIntyre <mer...@geeks.org> wrote:
>What the OP really needs is a firewall that is smart enough about
>watching the protocol itself to let through the RPC/NFS protocol, and

Also, the OP needs to ask why is there a firewall between the
NFS server and clients:
What are the risks?
Is NFS the right solution?
Is VPN or ssh tunnel a possible hack?

John
groe...@acm.org

Sami Ketola

unread,
Mar 18, 2010, 1:43:51 PM3/18/10
to
Doug McIntyre <mer...@geeks.org> wrote:
> What the OP really needs is a firewall that is smart enough about
> watching the protocol itself to let through the RPC/NFS protocol, and
> opening the ports as required. There's several out there that can do this.
> (ie. Fortigate, Juniper, etc).

But since both his server and clients are solaris 10 systems he could use
webnfs mounts for easier firewall transversal.

Sami

0 new messages