need way to specify the lockd port

Bug #28706 reported by Florin Iucha
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
module-init-tools
Invalid
Undecided
Unassigned
module-init-tools (Baltix)
Invalid
Undecided
Unassigned
module-init-tools (Ubuntu)
Invalid
Undecided
Unassigned
nfs-utils (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

I am using nfs v3 through a firewall and I am specifying the statd port in /etc/defaults/nfs-common and the mountd port in /etc/defaults/nfs-kernel-server but there no way to specify the lockd port.

I have added
   fs.nfs.nlm_tcpport=4001
   fs.nfs.nlm_udpport=4001
to /etc/sysctl.conf but during bootup I get an error that the directory entries are not available (because nfs is a module) yet.

I am also doing an
   echo 4001 > /proc/sys/fs/nfs/nlm_tcpport
   echo 4001 > /proc/sys/fs/nfs/nlm_udpport
at the beginning of /etc/init.d/nfs-common but it fails for a similar reason to set it when it is run for the first time.

In order to get it working I have to restart the services after the machine is booted up.

Revision history for this message
Dane Mutters (dmutters) wrote :

Try adding this to /etc/modules.conf:

lockd.nlm_udpport=4001 lockd.nlm_tcpport=4001

...and make sure that you have the lockd compiled as a module. (Try "sudo modprobe lockd".)

That works for me. The page that suggests it is here:

http://da.gentoo-wiki.com/HOWTO_Share_Directories_via_NFS

Perhaps we should have one of these how-tos for Ubuntu.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Florin, did DaneM's suggestion work for you?

Revision history for this message
Florin Iucha (florin-iucha) wrote :

Timo,

I switched to compiling my own kernels so I did not try Dane's suggestion.

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

In my case (Dapper), adding to /etc/modules.conf (actually to /etc/modutils/local-lockd and running update-moduls to populate /etc/modules.conf) didn't help, as I've verified with "cat /sys/module/lockd/parameters/nlm_*port".

The proper place was /etc/modprobe.conf, or rather /etc/modprobe.d/options.
Content the same, works fine.

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

BTW, maybe this should be the default. Who needs a randomized port for a service, anyway?
This isn't certainly any security measure, considering availability of application mapping tools like amap.

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

According to initial googling, the most commonly used static port for nfs-lockd is 4045 (tcp/udp).

Couldn't find any commonly used static numbers for statd and mountd, but I usually put them at port numbers 1000 and 1001 correspondingly.

Revision history for this message
hugolp (hugolp2) wrote :

I have the same situation. Is there a way to solve this allredy?

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

Hugolp, add the following to /etc/modprobe.d/options and reboot:

options lockd nlm_udpport=4045 nlm_tcpport=4045

Revision history for this message
hugolp (hugolp2) wrote :

AleksanderAdamowski, that solution worked out. I have nfs through a firewall working now. Thanks.

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

This affects module-init-tools which contains the default /etc/modprobe.d/options.
It already contains a hack for quickcam module:

# Enable double-buffering so gstreamer et. al. work
options quickcam compatible=2

As another solution, one could place the options in a separate file (e.g. /etc/modprobe.d/nfs-defaults) that would ship with the nfs-common package.

Revision history for this message
AleksanderAdamowski (aadamowski) wrote :

Added the Baltix distribution by accident. Sorry for that.

Timo Aaltonen (tjaalton)
Changed in module-init-tools:
status: New → Invalid
status: New → Invalid
Timo Aaltonen (tjaalton)
Changed in module-init-tools:
status: New → Invalid
Charles Hooper (chooper)
Changed in nfs-utils (Ubuntu):
status: New → Confirmed
Revision history for this message
Shane Rice (shane2peru) wrote :

This is still a very relevant problem. I'm working on Ubuntu Jaunty, and cannot get NFS to connect through an iptables firewall because the ports keep changing. The changing ports are: nlockmgr and mountd, I don't know if status has to do with this or not, but this is a problem. All the links I have found to bind nfslockmgr (or nfs in general) tell you to edit files that don't exist on Ubuntu. A search for nfs-utils in the repos, comes up vacant. Any advances made on this would be appreciated. If I can supply any information, please let me know.

Shane

Revision history for this message
Dane Mutters (dmutters) wrote : Re: [Bug 28706] Re: need way to specify the lockd port

Oh, one thing: modules.conf is the wrong file. I meant modprobe.conf.

Revision history for this message
Dane Mutters (dmutters) wrote :

ack...AleksanderAdamowski already posted on this. modprobe.conf *should* work, but /etc/modprobe.d/options is probably a better choice. Anyway, I agree that there should be something done about this as per Shane Rice's suggestion. Perhaps edit the config files by default when installing the nfs server package...?

Revision history for this message
Shane Rice (shane2peru) wrote :

@DaneM - Thanks for the info, I didn't realize the old info was still good to go by.

It would be good to have something up on the Ubuntu docs page, that is usually where I look for info. If someone could write up a short how to, that would be great, at least the info would be out there and available to everyone.

Shane

Revision history for this message
Shane Rice (shane2peru) wrote :

My first attempt gave me this:
sudo modprobe lockd
WARNING: /etc/modprobe.conf line 1: ignoring bad line starting with 'lockd.nlm_udpport=4001'
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.

So instead of using modprobe.conf, I used /etc/modprob.d/lockd.conf

It still complains about this:
sudo modprobe lockd
WARNING: /etc/modprobe.d/lockd.conf line 2: ignoring bad line starting with 'lockd.nlm_udpport=4001'

I made my first line: #lockd options.

Not sure if this is relevant, but reporting any way.

Shane

Revision history for this message
Shane Rice (shane2peru) wrote :

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. We we are done with this I will have learned enough to write up a small how to. :)

Shane

Revision history for this message
Shane Rice (shane2peru) wrote :

Ok, after playing around with this, I'm getting there. I want to document this here, so at least others and even myself can benefit from this in the future. I added this line: options lockd nlm_udpport=4045 nlm_tcpport=4045 to /etc/modprobe.d/options.conf the port number can really be anything. Then I reboot and run rpcinfo -p which shows that nlockmgr is bound to that port number, and we are one step closer. However mountd still comes up with random port to use, and firewall is still blocking us out. How do we bind the mountd port? I think status may play a part in this too. When we are done with this I will have learned enough to write up a small how to. :)

Shane

Revision history for this message
Dane Mutters (dmutters) wrote :

I found this while searching the mountd man pages:

-P portnum or --port portnum
               Makes mountd listen on port portnum instead of some random port.
               By default, mountd will listen on the mount/udp port specified
               in /etc/services, or, if that is undefined, on some arbitrary
               port number below 1024.

(note the CAPITAL "P")

I looked in /etc/services (on jaunty) and saw this:

sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
...
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System

Do you think it would wok if you were to open those ports in the firewall (assuming you haven't already)? I think that once the connection is established, the random port number becomes an established/related connection. I could be wrong. It's been a long time since I've messed with all this.

Revision history for this message
Shane Rice (shane2peru) wrote :

ok got it. I put up a small how-to here:
http://ubuntuforums.org/showpost.php?p=7959294&postcount=17

Hope this helps.

Shane

Revision history for this message
Dane Mutters (dmutters) wrote :

Excellent post! Thanks for making the how-to, Shane. You may want to consider posting this to the Ubuntu wiki, with a title something like, "Making NFS work with Ubuntu-CE-Firewall". That would make it a little easier to find.

Revision history for this message
MarkG (movieman523) wrote :

Is there a reason why NFS can't be set to use fixed ports by default? I don't see a security issue because rpcinfo gives you the ports anyway, so if you can connect to RPC you can find the ports; obviously you'd need to ensure that they didn't conflict with anything else, but hopefully that's easier than for thousands of users to have to figure out which files to change in order to get it to use fixed ports which can be firewalled reliably.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
while clearing (admittedly way too old) bugs I've found that for this bug
the reason here IMHO can be summarized as "because that is how upstream want's it" [1] but they are aware and so are the Ubuntu [2] (this still is what Shane & Dave started) and Debian [3] help pages about it.
Nowadays also the default config in /etc/default/nfs-kernel-server hints at the problem if you want/need to run with firewalls and hints at [3]:
```
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
```

I'm not a security person, so I can't assess if there really is a security (or other) benefit of having them random by default.
But OTOH I also doubt that no one has ever tried to discuss it with upstream since I find similar pages for almost any other major Distro [4][5] and manufacturers [6].

If anyone is really annoyed by this even today I guess the way to go is to discuss that default with upstream (or find old discussions and why they failed). If someone spends the work please add a link back here so no one needs to re-find them again.

[1]: https://tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
[2]: https://wiki.ubuntu.com/How%20to%20get%20NFS%20working%20with%20Ubuntu-CE-Firewall
[3]: https://wiki.debian.org/SecuringNFS
[4]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s2-nfs-nfs-firewall-config
[5]: https://www.suse.com/support/kb/doc/?id=000016649
[6]: https://www.ibm.com/docs/en/spectrum-scale/5.1.0?topic=firewall-recommendations-protocol-access

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.