NFS setup

I’m planning to put my Raspberry Pi back to use. I have always disliked its dependency on SD memory cards so I’m planning to put the Pi’s root filesystem on NFS. The Pi side will be a topic for another blog post later, first I’ll have to setup an NFS server on my main Gentoo machine.

The main NFS setup is described on the Gentoo wiki in sufficient detail. I had a bit of a headache getting NFS through my Shorewall based firefall, though. There is a good section on NFS security in the NFS-HOWTO which describes all the necessary bits. And the Gentoo config files have all the required settings in their comments, too. It turns out that all you have to do is to put some configuration into place and the NFS server will play nicely with the firewall:

In /etc/sysctl.conf these settings:

fs.nfs.nlm_tcpport = 4001
fs.nfs.nlm_udpport = 4001

In /etc/conf.d/nfs enable these settings:

OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"

Now all NFS daemons should be locked down to specific ports so you can add appropriate shorewall rules:

ACCEPT    loc    fw    tcp    111  # portmapper
ACCEPT    loc    fw    udp    111
ACCEPT    loc    fw    tcp    2049 # rpc.nfsd
ACCEPT    loc    fw    udp    2049
ACCEPT    loc    fw    tcp    4001 # kernel lockd
ACCEPT    loc    fw    udp    4001
ACCEPT    loc    fw    tcp    32765:32767
ACCEPT    loc    fw    udp    32765:32767

Restart the nfs service and the firewall. Now clients on the local network should be able to mount shares over NFS.