Subscribe

NFS through a firewall

Hi all

On of our customers is requesting access to a NFS share on my FAS3040 appliance through a firewall. The same NFS share is accessed from clients which is not behind this firewall.

As far as I know there's a few requirements to get this working, eg. apply the port rules on the firewall.

The question; anyone who knows which ports to open on the firewall?

Thanks in advance everyone

/Jesper

Re: NFS through a firewall

There are 2 suggestions:-

1.)  Try to run rpcinfo -p from the client, on which nfs is mounted with out firewall to know ports required...

2.) Visit http://www.iana.org/assignments/port-numbers and search of all nfs ports and open them on firewall.

I hope this will help..

Re: NFS through a firewall

I recently set up NFS through my firewall from my DMZ and I use the following on my Cisco ASA:

object-group service nfs-ports
service-object tcp-udp eq 4000
service-object tcp-udp eq 4001
service-object tcp-udp eq 4046
service-object tcp-udp eq nfs
service-object tcp-udp eq sunrpc
service-object tcp-udp eq 4045

in the following ACL:

access-list dmz1_access_in remark Allow external FTP server NFS access to data-3170-a
access-list dmz1_access_in extended permit object-group nfs-ports host external-ftp-server host fas3170-nfs

Works perfectly for me.

Thanks!

Jason

Re: NFS through a firewall

Are you running NFSv3 or NFSv4?  We have a similar issue and because port assignment in NFSv3 is dynamic our InfoSec department recommended that we use NFSv4.  It's works, however we are having to work through some authentication issues as we are still using basic auth with NFSv4 instead of Kerberos.