I have a server (Debian 9.6) which mounts an NFSv3 share for backup purposes.
Does it need any specific firewall settings ?
I have found that rcpbind is listening on port 111 and 903 and is installed as a dependecy of nfs-common. However, if I block all ports with ufw and/or kill rpcbind, I can still mount the NFS share.
I don't understand why nfs-common depends on rpcbind if it works without it. Am I missing anything ? Maybe rpcbind is needed for file locking or nfs stats.
Best Answer
NFS servers normally run a portmapper or rpcbind daemon to advertise their service endpoints to clients. Clients use the rpcbind daemon to determine:
The rpcbind daemon uses a well-known port number (111) to help clients find a service endpoint. Although NFS often uses a standard port number (2049), auxiliary services such as the NLM service can choose any unused port number at random.
From section "Mounting through a firewall" of nfs-common man page.
The reason why if you block access port and you are able to mount it is probably because the connection as been established from the client to the server, so no incoming connection are generated during mount operation, also when you kill the rpcbind process may the mount operation start it again.