SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
In some cases, especially when a firewall is in use, static ports need to be set for NFS services. This can be more complex that initially thought, because NFS relies on various services. There are also certain services that run on both NFS Server hosts and NFS Client hosts, so firewalls on both sides may need adjustment.
NFS 4.x:
NFS v4 generally only requires 1 port to be open, TCP destination port 2049 at the NFS Server side. This allows clients to initiate connections to it.
In some rarer cases, NFS 4.0 servers might need to contact an NFS client on a separate connection, in the opposite direction, initiated from the NFS Server's port 2049. So a rule allowing connections incoming from TCP source port 2049 (to various ports on the NFS client machine) might be needed at the client side. However, this practice is eliminated in NFS 4.1. Therefore, if the version used by the client can be controlled, the client-side firewall exception may not be needed.
Linux NFS clients can control the version requested with the mount option:
Valid on SLES 11 and higher: nfsvers=4,minorversion=1
An alternative on SLES 12 and higher: nfsvers=4.1
NFS 3 and 2:
NFS services (v3 and v2) generally require 5 services be running and accessible through a firewall:
portmapper
nfsd
mountd
lockd
statd
If there are firewalls between an NFS client and server, a firewall exception will be needed for each of these services. But first, it is often required to ensure that these services run on a static port. In other words, to ensure that they will use the same port every time they are initialized.
Portmapper
Portmapper runs and listens on both NFS clients and on NFS servers. It already runs on a static port, 111 for both TCP and UDP. Firewalls should be configured to allow incoming packets to this port on both TCP and UDP. This firewall exception is needed for incoming packets to both NFS Server systems and NFS client systems.
NFSD
The NFS Daemon runs only on NFS Servers (not on clients). It already runs on a static port, 2049 for both TCP and UDP. Firewalls should be configured to allow incoming packets to this port on both TCP and UDP. This firewall exception is only needed for packets incoming to a NFS Server.
Mountd
Mount daemon runs only on NFS Servers.
SLES 12 and higher
mountd will use the static port 20048 (specified in /etc/services).
SLES 11 and older
mountd does not use the value in /etc/services. Therefore, to set a static port on those older distributions, edit /etc/sysconfig/nfs and find and set:
MOUNTD_PORT=nnnn
Where nnnn is replaced by the desired port number. The number can be either by itself or enclosed in double quotes.
The firewall exception for TCP and UDP is needed for packets incoming to a NFS Server (not to an NFS client).
Lockd (NFS Lock Manager Daemon) and Statd (Status Daemon)
Lockd and Statd run both on NFS Client and NFS Servers. Static ports can be set and then firewall exceptions will be needed for incoming TCP and UDP packets to those ports on both NFS Clients and NFS Servers.
SLES 11 SP2 and higher, including SLES 12 and 15
In /etc/sysconfig/nfs, find and set the parameters as desired:
STATD_PORT=
LOCKD_TCPPORT=
LOCKD_UDPPORT=
NOTE: Initially, SLES 12 did not supply or use these parameters in /etc/sysconfig/nfs. However, the code to make use of them has been added in maintenance updates. Update the packages "nfs-client" and "nfs-kernel-server" to version 1.3.0-9.1 (released in October 2015).
If an update is not yet possible for some reason, then at least the lockd tcp and udp ports can be set in this alternative manner:
Edit /etc/sysctl.conf and add:
fs.nfs.nlm_udpport=xxxx
fs.nfs.nlm_tcpport=yyyy
where xxxx and yyyy are replaced with the desired port numbers.
SLES 11 SP1:
For statd ports on
NFS Servers, edit /etc/init.d/nfsserver and find the line:
startproc /usr/sbin/rpc.statd --no-notify || {
and add a port parameter to it, so it reads:
startproc /usr/sbin/rpc.statd --no-notify -pnnnn || {
where nnnn is the port number desired.
For statd ports on NFS Clients, edit /usr/sbin/start-statd
and find the line:
rpc.statd --no-notify
and add a port parameter, so it reads:
rpc.statd --no-notify -pnnnn
where nnnn is the port number desired.
If the system is both an NFS server and NFS client, perform both of the above modifications.
Then for lockd ports, use the method below for SLES 10 SP3 and SP4. On SLES 11, this will be effective for lockd ports but not for statd ports, unlike it's behavior on SLES 10.
SLES 10 SP3 and SP4:
The lockd and statd ports are both controlled by a kernel module, lockd. To set the static ports, find or create the file:
/etc/modprobe.d/lockd
Populate the file with the following (change your ports to reflect the desired port):
options lockd nlm_udpport=4002 nlm_tcpport=4002
The above will come into effect upon a reboot.
If a reboot is not feasible, you can temporarily set them with:
echo 4002 > /proc/sys/fs/nfs/nlm_tcpport
echo 4002 > /proc/sys/fs/nfs/nlm_udpport
SLES 9:
The kernel module that controls NFS is compiled into the SLES 9 kernel. In order to change the ports, you use a kernel parameter to change the ports. For example:
nlm_udpport=4002 nlm_tcpport=4002
Quotas
In some cases involving quota usage, it may be necessary to add an rquota entry to /etc/services. For example:
rquotad 4003/tcp
rquotad 4003/udp
Changing the NFS port
At this time, changing the NFS port is not supported. RFC specifications for version 4 state that the "registered port 2049...for the NFS protocol should be the default configuration." SLES follows the RFC standard in the default scripts. If, for some reason the port assignment for NFS needs to be changed, you will need to change /etc/init.d/nfsserver and modify the way nfsd is starting. Please note that custom edits of the /etc/init.d/nfsserver are not recommend nor supported. Furthermore, changed /etc/init.d scripts could be replaced during online updates or when updating to a new service pack.
Note: Changing the NFS port in /etc/services will not change the port.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.