When you create a VCN, a default security list is also created. Rules in the security list are used to allow or deny traffic to a subnet. Before you can mount a file system, you must configure security list rules to allow traffic to the mount target subnet. File Storage requires stateful ingress to TCP ports 111, 2048, 2049, and 2050 and stateful ingress to UDP ports 111 and 2048. File storage also requires stateful egress from TCP ports 111, 2048, 2049, and 2050 and stateful egress from UDP port 111.
See Security Lists for more information about how security lists work in Oracle Cloud Infrastructure. See About Security for information about how security lists work with other types of security in File Storage.
Required IAM Service Policy
To use Oracle Cloud Infrastructure, you must be given the required type of access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.
Using the Console
Security list rules allow ingress and egress for the following:
- Open Network Computing Remote Procedure Call (ONC RPC) rpcbind utility protocol
- Network File System (NFS) protocol
- Network File System (MOUNT) protocol
- Network Lock Manager (NLM) protocol
Open the navigation menu. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.
In the Scope section, select the compartment that contains the subnet associated with your file system.
- Click the name of the cloud network associated with your file system.
- On the details page for the cloud network, in Resources, and then click Security Lists.
- Click the name of the security list used by the subnet associated with your file system.
- In Resources, click Ingress Rules.
Click Add Ingress Rules and add the following ingress rule allowing TCP traffic.
- Specify that it's a stateful rule by leaving the check box clear. (For more information about stateful and stateless rules, see Stateful vs. Stateless Rules). By default, rules are stateful unless you specify otherwise.
- To allow traffic from the subnet of the cloud network, click Source Type, choose CIDR, and then enter the CIDR block for the subnet.
- Click IP Protocol, and then click TCP.
In Source Port Range, specify the range of ports that you want to allow traffic from. Alternatively, accept the default of All to allow traffic from any source port.
We recommend that NFS clients be limited to reserved ports. To do this, set the Source Port range to 1-1023. You can also set export options for a file system to require clients to connect from a privileged source port. For more information, see Working with NFS Export Options.
- Click Destination Port Range, and then enter 2048-2050.
- Click + Additional Ingress Rule and create a second stateful ingress rule allowing TCP traffic to a Destination Port Range of 111.
Click + Additional Ingress Rule and create a third stateful ingress rule allowing UDP traffic to a Destination Port Range of 2048.
Click + Additional Ingress Rule and create a fourth stateful ingress rule allowing UDP traffic to a Destination Port Range of 111.
- When you're done, click Add Ingress Rules.
- Next, create the egress rules. In Resources, click Egress Rules.
Click Add Egress Rules and add the following egress rule allowing TCP traffic:
- Specify that it's a stateful rule by leaving the check box clear.
- Click Destination Type, choose CIDR, and then enter the CIDR block for the subnet.
- Click IP Protocol, and then click TCP.
In Source Port Range, enter 2048-2050.
- In Destination Port Range, accept the default of All to allow traffic to any destination port.
- Click + Additional Ingress Rule and add a second stateful egress rule allowing TCP traffic from a Source Port Range of 111.
Click + Additional Ingress Rule and add a third stateful egress rule allowing UDP traffic from a Source Port Range of 111.
- When you're done, click Add Egress Rules.