How to allow NFS server traffic through firewalld

NFS mounts can fail even when the export table and nfs-server service look correct if firewalld does not allow the protocol path used by clients. Open the server-facing zone before asking clients to retry, and match the rule set to the NFS versions the server actually accepts instead of exposing legacy RPC services by habit.

On current RHEL-family systems, the predefined nfs firewalld service opens TCP 2049. That is normally enough for a strict NFSv4 server, while servers that still accept NFSv3 also need RPC discovery, mount daemon access, and fixed lock/status ports.

The examples use the public zone, files.example.net, and /srv/nfs/projects. Replace the zone, host name, export path, and fixed ports with the values for the server. Keep the final client test in the same network path that failed, because a local firewalld listing does not prove routing, export selectors, or client package state.

Related: How to install an NFS server on CentOS Stream, RHEL, and Fedora
Related: How to create an NFS export
Related: How to configure an NFSv4-only server
Related: How to list NFS exports from a client

Steps to allow NFS server traffic through firewalld:

  1. Check the firewalld zone that owns the server interface. 
    $ sudo firewall-cmd --get-active-zones
public
  interfaces: enp1s0

    Use the zone shown with the server-facing interface in the following commands. The examples use public.

  2. Check the NFS protocol versions exposed by the server. 
    $ cat /proc/fs/nfsd/versions
+3 +4 +4.1 +4.2

    A plus sign before 3 means the server still accepts NFSv3 clients. A minus sign before 3 means the firewall can normally stay on the NFSv4 path with only the nfs service.

    Related: How to configure an NFSv4-only server

  3. Add the nfs service to the permanent firewalld zone. 
    $ sudo firewall-cmd --permanent --zone=public --add-service=nfs
success

    The predefined nfs service opens TCP 2049 on current firewalld packages.

  4. Set fixed lock and status ports if the server still accepts NFSv3 clients. 
    [lockd]
port=5555
 
[statd]
port=6666

    Do not open arbitrary high RPC ports for NFSv3 traffic. Use site-approved fixed ports in /etc/nfs.conf, then open those exact ports in firewalld.

  5. Add the NFSv3 RPC services when legacy clients still need +3 support. 
    $ sudo firewall-cmd --permanent --zone=public --add-service=rpc-bind
success
$ sudo firewall-cmd --permanent --zone=public --add-service=mountd
success

    rpc-bind opens TCP and UDP 111. mountd opens TCP and UDP 20048 on current firewalld packages.

  6. Add the fixed NFSv3 lock and status ports. 
    $ sudo firewall-cmd --permanent --zone=public --add-port=5555/tcp
success
$ sudo firewall-cmd --permanent --zone=public --add-port=5555/udp
success
$ sudo firewall-cmd --permanent --zone=public --add-port=6666/tcp
success
$ sudo firewall-cmd --permanent --zone=public --add-port=6666/udp
success

    Skip this step on a strict NFSv4 server, or change the port numbers to match the fixed values already configured under [lockd] and [statd].

  7. Reload firewalld to apply the permanent rules. 
    $ sudo firewall-cmd --reload
success
  8. Restart NFS services if /etc/nfs.conf fixed ports changed. 
    $ sudo systemctl restart rpc-statd nfs-server

    Skip this restart when the fixed NFSv3 ports were already active and only firewalld rules were added.

  9. Verify the allowed firewalld services. 
    $ sudo firewall-cmd --zone=public --list-services
cockpit dhcpv6-client mountd nfs rpc-bind ssh

    A strict NFSv4 server should show nfs, but it does not need mountd or rpc-bind for client mounts.

  10. Verify the fixed NFSv3 ports when they were added. 
    $ sudo firewall-cmd --zone=public --list-ports
5555/tcp 6666/tcp 5555/udp 6666/udp
  11. From an allowed client, list the exports when NFSv3 or mixed-version visibility is expected. 
    $ showmount -e files.example.net
Export list for files.example.net:
/srv/nfs/projects 192.0.2.0/24

    A strict NFSv4 server may not answer showmount because that command uses the older mount service. Test the known export path with an NFSv4 mount instead.

    Related: How to list NFS exports from a client

  12. Mount the export from an allowed client. 
    $ sudo mount -t nfs4 files.example.net:/srv/nfs/projects /mnt/projects

    Use nfs with a version option such as vers=3 only when the server intentionally supports NFSv3 clients.

    Related: How to manually mount an NFS export on Linux

  13. Verify the mounted source on the client. 
    $ findmnt /mnt/projects
TARGET        SOURCE                                FSTYPE OPTIONS
/mnt/projects files.example.net:/srv/nfs/projects  nfs4   rw,relatime,vers=4.2,rsize=1048576,wsize=1048576