[Bug 28706] Re: need way to specify the lockd port

Christian Ehrhardt  28706 at bugs.launchpad.net
Thu Sep 23 06:15:29 UTC 2021 

Hi,
while clearing (admittedly way too old) bugs I've found that for this bug
the reason here IMHO can be summarized as "because that is how upstream want's it" [1] but they are aware and so are the Ubuntu [2] (this still is what Shane & Dave started) and Debian [3] help pages about it.
Nowadays also the default config in /etc/default/nfs-kernel-server hints at the problem if you want/need to run with firewalls and hints at [3]:
```
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information, 
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
``` 

I'm not a security person, so I can't assess if there really is a security (or other) benefit of having them random by default.
But OTOH I also doubt that no one has ever tried to discuss it with upstream since I find similar pages for almost any other major Distro [4][5] and manufacturers [6].

If anyone is really annoyed by this even today I guess the way to go is
to discuss that default with upstream (or find old discussions and why
they failed). If someone spends the work please add a link back here so
no one needs to re-find them again.

[1]: https://tldp.org/HOWTO/NFS-HOWTO/security.html#FIREWALLS
[2]: https://wiki.ubuntu.com/How%20to%20get%20NFS%20working%20with%20Ubuntu-CE-Firewall
[3]: https://wiki.debian.org/SecuringNFS
[4]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/storage_administration_guide/s2-nfs-nfs-firewall-config
[5]: https://www.suse.com/support/kb/doc/?id=000016649
[6]: https://www.ibm.com/docs/en/spectrum-scale/5.1.0?topic=firewall-recommendations-protocol-access

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/28706

Title:
  need way to specify the lockd port

Status in module-init-tools:
  Invalid
Status in module-init-tools package in Ubuntu:
  Invalid
Status in nfs-utils package in Ubuntu:
  Confirmed
Status in module-init-tools package in Baltix:
  Invalid

Bug description:
  I am using nfs v3 through a firewall and I am specifying the statd
  port in /etc/defaults/nfs-common and the mountd port in
  /etc/defaults/nfs-kernel-server but there no way to specify the lockd
  port.

  I have added 
     fs.nfs.nlm_tcpport=4001
     fs.nfs.nlm_udpport=4001
  to /etc/sysctl.conf but during bootup I get an error that the directory entries are not available (because nfs is a module) yet.

  I am also doing an 
     echo 4001 > /proc/sys/fs/nfs/nlm_tcpport
     echo 4001 > /proc/sys/fs/nfs/nlm_udpport
  at the beginning of /etc/init.d/nfs-common but it fails for a similar reason to set it when it is run for the first time.

  In order to get it working I have to restart the services after the
  machine is booted up.

To manage notifications about this bug go to:
https://bugs.launchpad.net/module-init-tools/+bug/28706/+subscriptions

More information about the foundations-bugs mailing list