Things that need to pass through the firewall:

• portmapper (tcp and udp port 111)
• nfsd (tcp and udp 2049)
• mountd (variable port from portmapper)

Mountd is needed only when the NFS share is mounted. After the mount is completed, all traffic is to the nfsd.

The last one is problematic because the port does not stay the same. In future, fsfwd is able to ask the mountd port from the portmapper.

Currently there are two ways to perform NFS mounts:

1. Turn off the firewall, mount the NFS share, and then turn on the firewall again. (Same applies to umounts.)
2. On the NFS server, start mountd with --port PORT option, which will make mountd use a fixed PORT instead of a random port. Then make a firewall rule that allows udp and tcp traffic to the server PORT.