Will Network File System (NFS) versions 2, 3 and 4 work through a firewall?
- Views:
- 3,732
- Visibility:
- Public
- Votes:
- 0
- Category:
- clustered-data-ontap-8
- Specialty:
- NAS
- Last Updated:
- 3/15/2023, 9:52:01 AM
Applies to
Data ONTAP 7 and earlier
Answer
NFS version 2 and 3 is dependant on the SunRPC portmapper service to determine what ports services are running on. This means that NFS and the various sideband protocols can change which ports they are listening on. Therefore, the firewall rules necessary are dependant on the configuration of the NFS server on the storage system. NFS version 4 is not reliant upon the sunrpc portmapper and listens on TCP port 2049. It cannot use the UDP protocol to communicate per RFC 7530.
Recommendations for attempting to use NFS versions 2 and 3 through a firewall:NOTE: NFSv2 is not supported in clustered Data ONTAP
- Use NFS over TCP. This is generally recommended because normally routers are associated with firewalls; therefore, NFS/TCP will be routable and more reliable than NFS over UDP.
- To enable NFS over TCP on the storage system, type the following via one of the command line interfaces:
- (7-Mode) Enter
options nfs.tcp.enable on
- (clustered Data ONTAP) Enter
vserver nfs modify -tcp enabled
- (7-Mode) Enter
- If the NFS client OS does not already mount NFS/TCP, then make sure the NFS clients mount the filer using NFS/TCP:
- Manually mount NFS/TCP using the following command (on some UNIX NFS clients) by entering:
mount -o proto=tcp filer:/vol/volume /mnt_point
- Edit the UNIX NFS client's
/etc/fstab
, or equivalent file, to mount NFS/TCP during boot up if necessary.
- Manually mount NFS/TCP using the following command (on some UNIX NFS clients) by entering:
- Obtain all NFS ports that the storage system is listening on and have the firewall administrator allow access between the storage system and NFS clients on the ports.
- From the UNIX NFS client, enter
rpcinfo -p </filer_hostname>
- Have the firewall administrator enable access to the ports listed in the 4th column along with the protocol of the 3rd column of the rpcinfo output.
- From the UNIX NFS client, enter
Setting up NFSv2/v3/v4 through a firewall can be done. If you have trouble configuring your firewall to work with NFS:
- Check the firewall logs to see if network traffic to and from the storage system is blocked. If traffic to and from the storage system is blocked, determine what ports are used, as this may be NFS traffic being blocked.
- If issues persist, consult the firewall documentation/support to address configuration issues.
Sample output to a 7-mode storage system:
[root@linux-host ~]# rpcinfo -p filer
program vers proto port service
100011 1 udp 4049 rquotad
100024 1 tcp 4047 status
100024 1 udp 4047 status
100021 4 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 1 udp 4045 nlockmgr
100003 4 tcp 2049 nfs
100005 3 tcp 4046 mountd
100003 3 tcp 2049 nfs
100005 2 tcp 4046 mountd
100005 1 tcp 4046 mountd
100003 2 tcp 2049 nfs
100005 3 udp 4046 mountd
100003 3 udp 2049 nfs
100005 2 udp 4046 mountd
100005 1 udp 4046 mountd
100003 2 udp 2049 nfs
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
For more information on how the storage system has adopted static ports, see Bug 70769
Additional Information
N/A