Which ports do I need to open in the firewall to use NFS?

$ rpcinfo -p | grep nfs

Port 111 (TCP and UDP) and 2049 (TCP and UDP) for the NFS server.

There are also ports for Cluster and client status (Port 1110 TCP for the former, and 1110 UDP for the latter) as well as a port for the NFS lock manager (Port 4045 TCP and UDP). Only you can determine which ports you need to allow depending on which services are needed cross-gateway.

In addition to 111 for portmapper and 2049 for nfs, you will need to allow the mountd port and possibly rquotad, lockd, and statd, all of which can be dynamic. This excellent NFS security guide recommends changing your startup scripts and kernel module configs to force them to use static ports.

In addition to the guide above, which has a section on firewalls, see my answer to another question about hardening NFS.

I found useful directions for my problem on this page, but there was no easy to follow recipe. So here's my recipe.

TL;DR - need to allow both nfs ports (111, 2049) and mountd port after fixing it.

Instructions:

Setting up a fixed port for mountd

gksudo gedit /etc/default/nfs-kernel-server

• comment out this line: RPCMOUNTDOPTS=--manage-gids
• add this instead: RPCMOUNTDOPTS="--port 33333"

Or any other port number.

now try to reset nfs using:

sudo service nfs-kernel-server restart

And test if it helped using:

rpcinfo -p | grep "tcp.*mountd"

For me it wasn't enough, but a full restart fixed the issue.

(credit)

Setting up the firewall

(1) delete old rules, do this manually or reset if this is the only use for the firewall:

sudo ufw reset
sudo ufw enable

(2) add nfs & mountd ports

sudo ufw allow in from 10.0.0.1/20 to any port 111 
sudo ufw allow in from 10.0.0.1/20 to any port 2049
sudo ufw allow in from 10.0.0.1/20 to any port 33333

(Change to your local IP's or to "any" instead of 10.0.0.1/20)

That's all there's to it.

This will give a list of all ports used by all NFS-related program:

rpcinfo -p | awk '{print $3" "$4}' | sort -k2n | uniq

With FERM one can use Backticks to get the ports from rpcinfo, for example:

Server:

proto tcp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:tcp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}
proto udp {saddr ($CLIENT) {
  dport (`rpcinfo -p | perl -e 'while(<>){/\s+\d+\s+\d\s+(?:udp)\s+(\d+)/ and $ports{$1}=1}; $, = " "; print sort(keys(%ports)),"\n"'`) ACCEPT; # NFS
}}

Client:

proto udp {saddr ($SERVER) {ACCEPT;}}  # NFS

(If you're only going to use the TCP then you need only the proto tcp part).

To mount Synology to Ubuntu 18.04 system, I had to enable ports 111,892,2049

When mounting, here is what I see (NFS 4 is not enabled on my Synology):

root@ub18ovh# mount -a -vv
mount.nfs: trying text-based options 'vers=4.2,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.1,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.0,addr=5.6.7.8,clientaddr=1.2.3.4'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'addr=5.6.7.8'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 5.6.7.8 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 5.6.7.8 prog 100005 vers 3 prot UDP port 892
successfully mounted

For the records, I had to add permissions for ports 111, 2049 AND 1048 for a configuration where an NFS share is exported by a Windows 2008 R2 server and the clients are Ubuntu 12.04.4.

I hope this helps someone.

if you use csf firewall and nfs does not mount you most likely miss the open ports used by nlockmgr, find them by typing

rpcinfo -p

Next edit /etc/sysctl.conf to LOCK the ports on these numbers (example port) and add these 2 lines. Then restart portmap, nfs-server.

fs.nfs.nlm_udpport=38073 

fs.nfs.nlm_tcpport=38747