# Ubuntu – Firewall problem using autofs with NFS-exported mounts

mountnetworkingnfsufw

I have successfully set up a working NFS server/client system on my local network machines. I love it!

But, having grown weary of the long delay when a mount is not available during boot-time, I decided to take @ridgy up on his suggestion to use autofs to mount the shares instead – using the information from this post.

I had firewall issues before, So, I immediately suspected the ufw might be the reason for the mounts timing out. So, I disabled ufw on server and client. And, sure enough; That got autofs working nicely. So, I am sure the basic configuration is correct.

The only other rules in ufw at this point are ALLOW rules for ports 2078 and 6589. There are no BLOCK rules set up. And, since NFS works fine with ufw on during fstab-controlled mounting, I am a bit confused as to where the blockage is occurring.

So far, I haven't found documentation on what ports/protocols are unique to autofs besides the usual NFS 111,2049 TCP/UDP.

Whenever I re-enable ufw. The shares become inaccessible again.

Any ideas?

@ridgy

After following your advice below to edit nfs-common and nfs-kernel-server.. I triple checked, and the edits were made exactly as shown.
I rebooted and ran…

$sudo netstat -nalp | grep rpc… The output was; tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1220/rpcbind tcp 0 0 0.0.0.0:32767 0.0.0.0:* LISTEN 4158/rpc.mountd tcp6 0 0 :::111 :::* LISTEN 1220/rpcbind tcp6 0 0 :::32767 :::* LISTEN 4158/rpc.mountd udp 0 0 0.0.0.0:972 0.0.0.0:* 1220/rpcbind udp 0 0 0.0.0.0:32767 0.0.0.0:* 4158/rpc.mountd udp 0 0 0.0.0.0:111 0.0.0.0:* 1220/rpcbind udp6 0 0 :::972 :::* 1220/rpcbind udp6 0 0 :::32767 :::* 4158/rpc.mountd udp6 0 0 :::111 :::* 1220/rpcbind unix 2 [ ACC ] STREAM LISTENING 15939 1/init /run/rpcbind.sock unix 2 [ ] DGRAM 49175 4158/rpc.mountd unix 3 [ ] STREAM CONNECTED 48294 1220/rpcbind /run/rpcbind.sock unix 3 [ ] STREAM CONNECTED 16984 1220/rpcbind unix 3 [ ] STREAM CONNECTED 48275 4157/rpc.idmapd unix 3 [ ] STREAM CONNECTED 48276 4157/rpc.idmapd  OK… So, I wonder… Where is rpc.statd ??? Additionally, my NFS shares (autofs was still disabled) were still visible from the client. even though the firewall had not been updated with the new rpc.mountd port 32767. #### Best Answer • In the end itwas not that complicated, following the hints in Securing NFS. I modified the files /etc/default/nfs-common and /etc/default/nfs-kernel-server according: nfs-common: . . # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/SecuringNFS STATDOPTS="--port 32765 --outgoing-port 32766" . .  nfs-kernel-server: . . # Options for rpc.mountd. # If you have a port-based firewall, you might want to set up # a fixed port here using the --port option. For more information, # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS # To disable NFSv4 on the server, specify '--no-nfs-version 4' here RPCMOUNTDOPTS="--manage-gids --port 32767" . .  Why those ports? As 32767 is the highest 15bit-number, it is very unlikely that these ports are already in use by something else. I am not using quotas, so I did not modify /etc/default/quota as suggested. And I had to reboot after I made these changes. Then I saw the result with $ sudo netstat -nalp | grep rpc

tcp        0      0 0.0.0.0:32767           0.0.0.0:*               LISTEN      1018/rpc.mountd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      735/rpcbind
tcp        0      0 0.0.0.0:32765           0.0.0.0:*               LISTEN      806/rpc.statd
tcp6       0      0 :::32767                :::*                    LISTEN      1018/rpc.mountd
tcp6       0      0 :::111                  :::*                    LISTEN      735/rpcbind
tcp6       0      0 :::32765                :::*                    LISTEN      806/rpc.statd
udp        0      0 0.0.0.0:875             0.0.0.0:*                           735/rpcbind
udp        0      0 127.0.0.1:982           0.0.0.0:*                           806/rpc.statd
udp        0      0 0.0.0.0:32765           0.0.0.0:*                           806/rpc.statd
udp        0      0 0.0.0.0:32767           0.0.0.0:*                           1018/rpc.mountd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           735/rpcbind
udp6       0      0 :::875                  :::*                                735/rpcbind
udp6       0      0 :::32765                :::*                                806/rpc.statd
udp6       0      0 :::32767                :::*                                1018/rpc.mountd
udp6       0      0 :::111                  :::*                                735/rpcbind
unix  2      [ ACC ]     STREAM     LISTENING     11412    735/rpcbind         /run/rpcbind.sock
unix  2      [ ]         DGRAM                    9521     806/rpc.statd
unix  2      [ ]         DGRAM                    9614     1018/rpc.mountd
unix  3      [ ]         STREAM     CONNECTED     11721    862/rpc.idmapd
unix  3      [ ]         STREAM     CONNECTED     11722    862/rpc.idmapd


As you can see, the ports rpc.mountd and rpc.statd are listening to are now static.

When entering showmounton the client(here 192.168.192.20), Wireshark shows the communication (server is 192.168.192.111). Important here: The GETPORT Call and the GETPORT reply, which returns Port:32767. The communication then uses this port.

Now you should be able to modify the firewall rules according, and then use showmountand autofs through firewall.

Just for the record

Following the hints in the comments and my own experience, I found different behaviour in different distributions:

• In current raspbian jessie (based on debian), there is a service nfs-common (file /etc/init.d/nfs-common), which when enabled starts e.g. rpc.statd at boot, respecting the port settings in /etc/default/nfs-common.
• In current Ubuntu 16.04 there is no such service. rpc.statdis not started at boot, as it is not needed with NFS V4. But as soon as mount .... -o nfsvers=3 is done, rpc.statd is started, respecting the port settings in /etc/default/nfs-common.

I did not find a consistent documentation on that; in How to configure NFS the file /etc/init.d/nfs-common is explicitly mentioned, although it is not in the package. If anyone has hints/links on that it would be richly deserved.

One more remark: man rpc.mountd and man rpc.statd say (for option --port):

"If this option is not specified, rpc.statd will try to consult /etc/services, if gets port succeed, set the same port for all listener socket, otherwise chooses a random ephemeral port for each listener socket."

Even when setting the ports in /etc/services (as suggested in the above mentioned wiki), this did not work. So modifying the files in /etc/default seems mandatory - the man pages are not correct at that point.