This document is intended to give you detailed steps for making NFS bind to
user-specified ports instead of random ports assigned by the portmapper.
This makes it *much* easier to run a firewall on the NFS server, as you don't
have to kludge something to find the NFS ports at each boot to open them with 
iptables.

NOTE: This was written for Slackware Linux, but the general ideas should 
      apply on pretty much any distribution.

First, you'll want (it's not necessary, but handy to have for later) to make
sure all of this is in /etc/services.  I made sure "NFS" is in all of what I
added or modified so that I can easily remove them (or just find them) if I 
need them later.

root@alamo # grep NFS /etc/services 
sunrpc          111/tcp    rpcbind      # SUN Remote Procedure Call
sunrpc          111/udp    rpcbind      # SUN Remote Procedure Call 
mountd          861/udp                 # NFS mountd
mountd          861/udp                 # NFS mountd
rquotad         863/udp                 # NFS rquotad
rquotad         863/tcp                 # NFS rquotad
status          865/udp                 # NFS status (listen)
status          865/tcp                 # NFS status (listen)
status          866/udp                 # NFS status (send)
status          866/tcp                 # NFS status (send)
nfsd            2049/tcp                # NFS server daemon
nfsd            2049/udp                # NFS server daemon
lockd           4045/udp                # NFS lock daemon/manager
lockd		4045/tcp		# NFS lock daemon/manager

************************************************************************

Next, you'll need to modify your /etc/rc.d/rc.nfsd script accordingly:
For other linux distributions, find the script that starts these
daemons and add the needed flags.

# **** Make the quota daemon listen on port 863

  if [ -x /usr/sbin/rpc.rquotad ]; then
    echo "  /usr/sbin/rpc.rquotad -p 863"
    /usr/sbin/rpc.rquotad -p 863
  fi

# **** Make the mount daemon listen on port 861

  if [ -x /usr/sbin/rpc.mountd ]; then
    echo "  /usr/sbin/rpc.mountd -p 861"
    /usr/sbin/rpc.mountd -p 861
  fi


Now modify the /etc/rc.d/rc.rpc script (again, for other linux distros,
find the script that starts this daemon and add the needed flags).
On older versions (less than 11.0) of Slackware, rpc.statd is started
in rc.nfsd, so look there instead.

# **** Have the portmap daemon chroot to /var/empty for increased security
# **** Make the status daemon listen on port 865 and talk on port 866
# **** Note that you'll have to open port 866 on the NFS clients

  if [ -x /sbin/rpc.portmap -a -x /sbin/rpc.statd ]; then
    if ! ps axc | grep -q rpc.portmap ; then
      echo "Starting RPC portmapper:  /sbin/rpc.portmap -t /var/empty"
      /sbin/rpc.portmap -t /var/empty
    fi
    if ! ps axc | grep -q rpc.statd ; then
      echo "Starting RPC NSM (Network Status Monitor):  /sbin/rpc.statd -p 865 -o 866"
      /sbin/rpc.statd -p 865 -o 866
    fi


Finally, make the lock daemon listen on port 4045 only - note that this requires 
setting module load options in a file in  /etc/modprobe.d/  - I create an aptly
named file of /etc/modprobe.d/lockd and add the following:

  options lockd nlm_udpport=4045 nlm_tcpport=4045


Copyright 2006-2008  Robby Workman, Northport, Alabama, USA 
You may mirror and/or otherwise use this file as you wish so long as
you retain attribution to the author.  If you have any questions, 
comments, or suggestions for improvement, you may contact me at
rworkman AT slackware.com