Skip to end of metadata
Go to start of metadata

Symptoms

You want to protect your SoftNAS® instance, restricting access, and limiting traffic to authorized processes. But how? This is accomplished by configuring your firewall for on-premise instances (VMware), and via security groups for AWS and Azure instances.

Purpose

This article will help you to determine the ports and security rules you need to consider when planning your firewall, and creating security groups for your AWS or Azure instance.

Resolution

Restrict the allowed IP addresses which are allowed access to each port on SoftNAS® - especially HTTPS (port 443). Only allow approved administrators to access the SSH, HTTPS ports by restricting who (which TCP/IP addresses) can access those ports. Restrict NAS ports (e.g.,CIFS, NFS, iSCSI, etc.) to only allow EC2 workload instances; e.g.,x.x.x.x/24 or a specific range of workload instances. 

Note: Prior to version 3.2.1, it was possible to access your instance via port 80, or HTTP. SoftNAS® no longer allows access via this port for security reasons. 

When publishing storage via NFS, CIFS, iSCSI, or other protocols from SoftNAS® via the Internet, it is also critical to configure encrypted, authenticated access and limit the source ports accordingly. Also, be sure to restrict the range of allowed source IP addresses. If storage services are published only on an internal LAN or WAN, then apply appropriate security measures as for any storage server in this network environment.


NFS and BIND Services

SoftNAS supports both NFSv4 and NFSv3 for legacy purposes. If using NFSv3, a few services may require configuration/definition in order to ensure connectivity through a firewall. Ports will need to be defined and set statically.

TCP/UDP PortSourceService
111x.x.x.x/24portmapper, Automounting
****x.x.x.x/24rquotad
****x.x.x.x/24nlockmgr
****x.x.x.x/24mountd
****x.x.x.x/24status
2049x.x.x.x/24nfs

**** represents ports that are ephemeral, and must be assigned, as per the below commands.

There may also be some other ports required for clustering, client status, nfs manager, etc. To find out what other ports may need to be available through a firewall you can run the following command from the nfs server...`rpcinfo -p | grep nfs`. Here's a list of some of the alternative ports that may be used and what they're used for.

MOUNTD_PORT=portControls which TCP and UDP port mountd (rpc.mountd) uses.STATD_PORT=portControls which TCP and UDP port status (rpc.statd) uses.LOCKD_TCPPORT=portControls which TCP port nlockmgr (lockd) uses.LOCKD_UDPPORT=portControls which UDP port nlockmgr (lockd) uses. 

If you need to define static ports for NFSv3, use a ready-made config file that is configured to use your defined ports. The config file is found at "/etc/sysconfig/nfs". Create your alternate as "/etc/sysconfig/nfs.softnas", then rename it to overwrite the original once the desired ports are defined. NFSv3 will use the ports defined in the config file. 

Note: The above information is for instances using NFSv3. NFSv4 only requires port 2049. It may use port 111 for automounting.


CIFS/SMB via Samba

VariableTCP Port #Service
netbios-ns137NETBIOS name service
netbios-dgm138NETBIOS datagram service
netbios-ssn139NETBIOS session service
microsoft-ds445Active Directory

Additional ports for CIFS:

DescriptionTCP Port #Note
LDAP389Active Directory Mode
NetBIOS445Post-Windows 2000 (CIFS)
SWAT901Not related to client communication


 AFP/Netatalk

DescriptionTCP Port #Note
AFP over TCP548AppleShare, Personal File Sharing, Apple File Services

Service Location Protocol (SLP)

427Network browser


iSCSI

DescriptionTCP Port #Note
iSCSI3260

Target publishing

 

Additional Information