Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6 Server: How to get NFS disk serving working properly OS X Server
Snow Leopard only hintYou may be surprised to learn that if you follow the detailed 136 page instructions for setting up an NFS disk server that Apple provides for the OS X server machines, it won't actually work. The problem is the firewall. Unlike the non-server OS, which has an application firewall, the Server OS uses IPFW, which is port-based not application-based.

This means every service that takes inbound connections has to have fixed port range assignments so you can tell IPFW which port to open. NFS required the RPC deamon, and by default, RPC takes whatever ports are free at the moment and does not keep them fixed. You need to fix these to specific ports by hand because the GUI won't do it.

This can be confusing to diagnose because if you start NFS with the firewall down and then put it up, you find the server continues to work for about 30 minutes, because of pre-existing daemon connections.

The fix is simple but undocumented in the Apple manual, and not possible via the Server Admin GUI: you fix the ports permanently, and then add a rule to the firewall to open those ports.

To fix the ports, you need to add the following lines to the /etc/nfs.conf file on the server. If this file does not exist yet, you need to create it.
# The purpose is to allow firewall ports to be open
nfs.lockd.port = 1020
nfs.statd.port = 1021
nfs.server.mount.port = 1022
nfs.server.rquota.port = 1019
Those four numbers are chosen as an example; you do not need to choose those, they do not need to be consecutive, they do need to be unused by other services and under 1024. On my machine, those ports are free, and it is very likely they are free on your computer too.

Even so, here is a recipe for finding four free ports on your computer. First, make sure all the services you are likely to ever want to use are temporarily turned on. That includes turning on NFS (in the Server Admin GUI).

For extra assurance that the daemons for the services are launched and not latent, try using those services. Second, pull up a Terminal and type rpcinfo -p and scrutinize the output. It should look something like this:
$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 1021 status
100024 1 tcp 1021 status
100021 0 udp 1020 nlockmgr
100021 1 udp 1020 nlockmgr
100021 3 udp 1020 nlockmgr
100021 4 udp 1020 nlockmgr
100021 0 tcp 1020 nlockmgr
100021 1 tcp 1020 nlockmgr
100021 3 tcp 1020 nlockmgr
100021 4 tcp 1020 nlockmgr
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100005 1 udp 1022 mountd
100005 3 udp 1022 mountd
100005 1 tcp 1022 mountd
100005 3 tcp 1022 mountd
100011 1 udp 1019 rquotad
100011 2 udp 1019 rquotad
The numbers you see for the four services -- status, mountd, nlockmgr, rquotad -- will at this point be randomly chosen ports that are safe. There will be at least four unique numbers there, and in some cases up to eight unique numbers. All of those are ports that are safe to use since the system is in fact using them at that moment for those very RPC services. So pick any of them (caution: note that 2049 and 111 are not part of those four services, so don't pick those).

Third, as a final sanity check, look in the file /etc/services to find what possible future assignment those ports might possibly conflict with. If you don't see them colliding with any major service you have ever heard of (e.g. ssh or ftp or afp or something common), then you are good to go. Use those in the /etc/nfs.conf file.

Next, you need to add those four ports the Server Admin GUI. This is straightforward; just be sure to add both UDP and TCP. The last step is to reboot the computer. In theory, if you were just to stop and restart the NFS service, that would work. In practice, I have found that this does not respect the /etc/nfs.conf file. So reboot.

There you go. Not very hard. But undocumented in Apple's guide to file serving.

One final hint for the really advanced NFS folks out there. If you are doing exotic export configurations by hand (not using the GUI) in /etc/exports and decide to create netgroups, you should know that the man page on /etc/netgroups gives incorrect documentation on the file format. The apparent correct format are lines that begin with the groupname and then are followed by a list of servers. Tuples don't work.

[robg adds: Not only have I not tested this one, I don't understand 95% of it...hopefully it makes sense to those who need to know these things!]
  • Currently 2.92 / 5
  You rated: 3 / 5 (24 votes cast)

10.6 Server: How to get NFS disk serving working properly | 3 comments | Create New Account
Click here to return to the '10.6 Server: How to get NFS disk serving working properly' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6 Server: How to get NFS disk serving working properly
Authored by: flammable on Feb 23, '10 09:30:57PM

I'm likely never going to need to use this, but if I do - this is excellent. Thank you!

[ Reply to This | # ]
add those ports to the firewall
Authored by: SOX on Feb 25, '10 06:09:20AM
minor typo: the sentence

"Next, you need to add those four ports the Server Admin GUI. "

should have read

"Next, you need to add those four ports to the firewall using the Server Admin GUI. "

[ Reply to This | # ]

10.6 Server: How to get NFS disk serving working properly
Authored by: DaMacGuy on Feb 16, '11 12:18:39PM

Does this apply even if you're not using the Firewall service?

Do I make the changes in the Firewall service, even if I don't have it enabled?


[ Reply to This | # ]