Will Network File System (NFS) versions 2, 3 and 4 work through a firewall?

Applies to

Data ONTAP 7 and earlier

Answer

NFS version 2 and 3 is dependant on the SunRPC portmapper service to determine what ports services are running on. This means that NFS and the various sideband protocols can change which ports they are listening on. Therefore, the firewall rules necessary are dependant on the configuration of the NFS server on the storage system. NFS version 4 is not reliant upon the sunrpc portmapper and listens on TCP port 2049. It cannot use the UDP protocol to communicate per RFC 7530.

Recommendations for attempting to use NFS versions 2 and 3 through a firewall:

NOTE: NFSv2 is not supported in clustered Data ONTAP

1. Use NFS over TCP.  This is generally recommended because normally routers are associated with firewalls; therefore, NFS/TCP will be routable and more reliable than NFS over UDP.
2. To enable NFS over TCP on the storage system, type the following via one of the command line interfaces:
   1. (7-Mode) Enter options nfs.tcp.enable on
   2. (clustered Data ONTAP) Enter vserver nfs modify -tcp enabled
3. If the NFS client OS does not already mount NFS/TCP, then make sure the NFS clients mount the filer using NFS/TCP:
   1. Manually mount NFS/TCP using the following command (on some UNIX NFS clients) by entering:

      mount -o proto=tcp filer:/vol/volume /mnt_point

   2. Edit the UNIX NFS client's /etc/fstab, or equivalent file, to mount NFS/TCP during boot up if necessary.
4. Obtain all NFS ports that the storage system is listening on and have the firewall administrator allow access between the storage system and NFS clients on the ports.
   1. From the UNIX NFS client, enter rpcinfo -p </filer_hostname>
   2. Have the firewall administrator enable access to the ports listed in the 4th column along with the protocol of the 3rd column of the rpcinfo output.

Setting up NFSv2/v3/v4 through a firewall can be done. If you have trouble configuring your firewall to work with NFS:

1. Check the firewall logs to see if network traffic to and from the storage system is blocked. If traffic to and from the storage system is blocked, determine what ports are used, as this may be NFS traffic being blocked.
2. If issues persist, consult the firewall documentation/support to address configuration issues. 

Sample output to a 7-mode storage system:
[root@linux-host ~]# rpcinfo -p filer
   program vers proto   port  service
    100011    1   udp   4049  rquotad
    100024    1   tcp   4047  status
    100024    1   udp   4047  status
    100021    4   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    1   udp   4045  nlockmgr
    100003    4   tcp   2049  nfs
    100005    3   tcp   4046  mountd
    100003    3   tcp   2049  nfs
    100005    2   tcp   4046  mountd
    100005    1   tcp   4046  mountd
    100003    2   tcp   2049  nfs
    100005    3   udp   4046  mountd
    100003    3   udp   2049  nfs
    100005    2   udp   4046  mountd
    100005    1   udp   4046  mountd
    100003    2   udp   2049  nfs
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

For more information on how the storage system has adopted static ports, see Bug 70769
 

Additional Information

N/A