Network Storage Protocols Discussions

NFS through a firewall

jen

Hi all

On of our customers is requesting access to a NFS share on my FAS3040 appliance through a firewall. The same NFS share is accessed from clients which is not behind this firewall.

As far as I know there's a few requirements to get this working, eg. apply the port rules on the firewall.

The question; anyone who knows which ports to open on the firewall?

Thanks in advance everyone

/Jesper

3 REPLIES 3

maddydev2001

There are 2 suggestions:-

1.)  Try to run rpcinfo -p from the client, on which nfs is mounted with out firewall to know ports required...

2.) Visit http://www.iana.org/assignments/port-numbers and search of all nfs ports and open them on firewall.

I hope this will help..

jason_lempka

I recently set up NFS through my firewall from my DMZ and I use the following on my Cisco ASA:

object-group service nfs-ports
service-object tcp-udp eq 4000
service-object tcp-udp eq 4001
service-object tcp-udp eq 4046
service-object tcp-udp eq nfs
service-object tcp-udp eq sunrpc
service-object tcp-udp eq 4045

in the following ACL:

access-list dmz1_access_in remark Allow external FTP server NFS access to data-3170-a
access-list dmz1_access_in extended permit object-group nfs-ports host external-ftp-server host fas3170-nfs

Works perfectly for me.

Thanks!

Jason

__Demond_NC_17110

Are you running NFSv3 or NFSv4?  We have a similar issue and because port assignment in NFSv3 is dynamic our InfoSec department recommended that we use NFSv4.  It's works, however we are having to work through some authentication issues as we are still using basic auth with NFSv4 instead of Kerberos.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public