Make NFS server listen only on a specific interface

I am trying to run a NFS server (nfs-kernel-server package) on a Ubuntu 20.04 machine and want to make it only acessible via VPN.

I have set the appropriate IP address in the /etc/exports file and my firewall. Nevertheless, the rpc.mountd daemon is still listening on all interfaces (0.0.0.0 and ::). As a defense-in-depth measurement, I would like to restrict it further to only listen to connections on the VPN-network device.

How can I configure that?


Solution 1:

Quoting nfsd(8):

OPTIONS
       -d  or  --debug
              enable logging of debugging messages

       -H  or  --host hostname
              specify a particular hostname (or address) that NFS requests will be accepted on. By default, rpc.nfsd will accept NFS requests on all known network addresses.  Note that lockd (which performs file locking services for NFS) may still accept request on all known network addresses.  This may change
              in future releases of the Linux Kernel. This option can be used multiple time to listen to more than one interface.

       -p  or  --port port
              specify a different port to listen on for NFS requests. By default, rpc.nfsd will listen on port 2049.

Solution 2:

Ubuntu and Debian have the configuration in

/etc/default/nfs-kernel-server

You can restrict it using

RPCNFSDOPTS="-H 10.0.40.72"