Chapter 5. Configuring an NFSv4-only server
As an NFS server administrator, you can configure the NFS server to support only NFSv4, which minimizes the number of open ports and running services on the system.
5.1. Benefits and drawbacks of an NFSv4-only server
This section explains the benefits and drawbacks of configuring the NFS server to only support NFSv4.
By default, the NFS server supports NFSv3 and NFSv4 connections in Red Hat Enterprise Linux 9. However, you can also configure NFS to support only NFS version 4.0 and later. This minimizes the number of open ports and running services on the system, because NFSv4 does not require the rpcbind service to listen on the network.
When your NFS server is configured as NFSv4-only, clients attempting to mount shares using NFSv3 fail with an error like the following:
Requested NFS version or transport protocol is not supported.
Optionally, you can also disable listening for the RPCBIND, MOUNT, and NSM protocol calls, which are not necessary in the NFSv4-only case.
The effects of disabling these additional options are:
- Clients that attempt to mount shares from your server using NFSv3 become unresponsive.
- The NFS server itself is unable to mount NFSv3 file systems.
5.2. Configuring the NFS server to support only NFSv4
This procedure describes how to configure your NFS server to support only NFS version 4.0 and later.
Procedure
Disable NFSv3 by adding the following lines to the
[nfsd]section of the/etc/nfs.confconfiguration file:[nfsd] vers3=no
Optionally, disable listening for the
RPCBIND,MOUNT, andNSMprotocol calls, which are not necessary in the NFSv4-only case. Disable related services:# systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
Restart the NFS server:
# systemctl restart nfs-server
The changes take effect as soon as you start or restart the NFS server.
5.3. Verifying the NFSv4-only configuration
You can verify that your NFS server is configured in the NFSv4-only mode by using the netstat utility.
Procedure
Use the
netstatutility to list services listening on the TCP and UDP protocols:# netstat --listening --tcp --udp
Example 5.1. Output on an NFSv4-only server
The following is an example
netstatoutput on an NFSv4-only server; listening forRPCBINDandNSMis also disabled.Note that the
mountdis still listening, but only because internal communication between thenfsdprocess andmountdis required in order to do local authentication, therefore the port can remain closed.# netstat --listening --tcp --udp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:mountd 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN tcp6 0 0 [::]:mountd [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 0.0.0.0:mountd 0.0.0.0:* udp 0 0 0.0.0.0:mountd 0.0.0.0:* udp 0 0 localhost:323 0.0.0.0:* udp6 0 0 [::]:mountd [::]:* udp6 0 0 [::]:mountd [::]:* udp6 0 0 localhost:323 [::]:*
Example 5.2. Output before configuring an NFSv4-only server
In comparison, the
netstatoutput before configuring an NFSv4-only server includes thesunrpcservice:# netstat --listening --tcp --udp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40189 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:46813 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:mountd 0.0.0.0:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:51227 [::]:* LISTEN tcp6 0 0 [::]:nfs [::]:* LISTEN tcp6 0 0 [::]:sunrpc [::]:* LISTEN tcp6 0 0 [::]:mountd [::]:* LISTEN tcp6 0 0 [::]:45043 [::]:* LISTEN udp 0 0 localhost:1018 0.0.0.0:* udp 0 0 localhost.locald:bootpc 0.0.0.0:* udp 0 0 0.0.0.0:mountd 0.0.0.0:* udp 0 0 0.0.0.0:46672 0.0.0.0:* udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* udp 0 0 0.0.0.0:33494 0.0.0.0:* udp6 0 0 [::]:33734 [::]:* udp6 0 0 [::]:mountd [::]:* udp6 0 0 [::]:sunrpc [::]:* udp6 0 0 [::]:40243 [::]:*