Setting up a secure NFS server on unRAID doesn’t have to be complicated. This guide walks you through the entire process, from basic setup to advanced security configurations.
Quick Setup Guide
1. Enable NFS on unRAID
- Log in to your unRAID web interface
- Navigate to Settings > NFS
- Set “Enable NFS” to Yes
- Apply changes
2. Configure NFS Shares
- Go to the Shares section
- Select your target share
- Under NFS Security Settings, set Export to Yes
Advanced Security Configuration
Deploying Behind a Firewall
For networks requiring enhanced security, you can deploy your NFS server behind a firewall or ACL. This is particularly useful when:
- Your network is exposed to external threats
- You need to isolate network segments
- You’re setting up a DMZ (Demilitarized Zone)
Static Port Configuration
Prerequisites
- Install the User Scripts plugin on unRAID
Setup Script
#!/bin/bash
# Configuration constants
readonly DEFAULT_RPC="/etc/default/rpc"
readonly RC_NFSD="/etc/rc.d/rc.nfsd"
readonly PORTS=(
["statd"]=32766
["mountd"]=32767
["lockd"]=32768
)
readonly LOG_FILE="/var/log/nfs_config.log"
# Logging function
log() {
local level=$1
local message=$2
local timestamp
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[${timestamp}] [${level}] ${message}" | tee -a "$LOG_FILE"
}
# Check if running as root
check_root() {
if [[ $EUID -ne 0 ]]; then
log "ERROR" "This script must be run as root"
exit 1
fi
}
# Check if required files exist
check_files() {
local missing_files=0
for file in "$DEFAULT_RPC" "$RC_NFSD"; do
if [[ ! -f "$file" ]]; then
log "ERROR" "Required file not found: $file"
missing_files=1
fi
done
return "$missing_files"
}
# Configure RPC ports
configure_rpc() {
log "INFO" "Configuring RPC ports in $DEFAULT_RPC"
if ! sed -i -E "
s/^#?RPC_STATD_PORT=.*/RPC_STATD_PORT=${PORTS[statd]}/;
s/^#?LOCKD_TCP_PORT=.*/LOCKD_TCP_PORT=${PORTS[lockd]}/;
s/^#?LOCKD_UDP_PORT=.*/LOCKD_UDP_PORT=${PORTS[lockd]}/;
" "$DEFAULT_RPC"; then
log "ERROR" "Failed to configure RPC ports"
return 1
fi
}
# Configure NFS daemon
configure_nfsd() {
log "INFO" "Configuring NFS daemon in $RC_NFSD"
if ! sed -i -E "
s|^(\s*)(/usr/sbin/rpc\.mountd)$|\1\2 -p ${PORTS[mountd]}|;
/if \[ -x \/usr\/sbin\/rpc.mountd \]/ i RPC_MOUNTD_PORT=${PORTS[mountd]};
" "$RC_NFSD"; then
log "ERROR" "Failed to configure NFS daemon"
return 1
fi
}
# Restart services
restart_services() {
local services=("rc.rpc" "rc.nfsd")
for service in "${services[@]}"; do
log "INFO" "Restarting $service"
if ! /etc/rc.d/"$service" restart; then
log "ERROR" "Failed to restart $service"
return 1
fi
sleep 1
done
}
# Main function
main() {
local exit_code=0
# Initialize log file
: > "$LOG_FILE"
log "INFO" "Starting NFS configuration"
# Run checks
check_root
check_files || exit_code=$?
if [[ $exit_code -eq 0 ]]; then
# Apply configurations
configure_rpc || exit_code=$?
configure_nfsd || exit_code=$?
restart_services || exit_code=$?
if [[ $exit_code -eq 0 ]]; then
log "INFO" "NFS configuration completed successfully"
else
log "ERROR" "NFS configuration failed"
/usr/local/emhttp/webGui/scripts/notify -i warning -s "NFS configuration failed. Check $LOG_FILE for details"
fi
fi
return "$exit_code"
}
# Execute main function with error handling
set -euo pipefail
main "$@"
Firewall Configuration
Configure your firewall to allow the following ports for your unRAID server’s IP:
- Port 111 (RPC)
- Port 2049 (NFS)
- Ports 32766-32768 (Static port range)
Troubleshooting Tips
- Verify NFS service status using
showmount -ecommand - Check system logs for any connection errors
- Ensure proper network connectivity between client and server
- Verify firewall rules are correctly configured
Security Best Practices
- Use specific IP ranges in export settings
- Implement read-only shares where possible
- Regular security audits of NFS access logs
- Keep unRAID system updated
Last updated: July 2024