Stay organized with collections
Save and categorize content based on your preferences.
This page explains when you must configure firewall rules to enable NFS file
locking.
Conditions that require firewall ingress rule configuration
You must create a firewall ingress rule to enable traffic from
Filestore instances to your clients if:
You are using NFS file locking in the applications accessing the
Filestore instance.
The VPC network you are using has firewall rules that block TCP port 111
or the ports used by the statd or nlockmgr daemons. To determine what
ports the statd and nlockmgr daemons use on the client,
check current port settings.
If the statd and nlockmgr ports aren't set, and you think you might need
to configure firewall rules at any point, we strongly recommend setting those
ports consistently on all client VM instances. For more information, see
Setting NFS ports.
Conditions that require firewall egress rule configuration
You must create a firewall egress rule to enable traffic from your clients to
your Filestore instances if:
The VPC network you're using has a firewall egress rule for the
IP address ranges used by your Filestore instances.
The firewall egress rule blocks traffic to TCP ports 111, 2046, 2049, 2050, or
4045.
For more information about VPC network firewall rules, see
Using Firewall Rules.
Create a firewall ingress rule
Use the following procedure to create a firewall rule to enable traffic from
Filestore instances.
Before you begin, verify the following:
Windows
Confirm that the client is allowed to communicate with the Filestore
instance and that the local firewall is not blocking the required ports.
To open all required NFS ports, run the following command in PowerShell:
'111','2046','2049','2050','4045'|%{C:\Windows\system32\netsh.exeadvfirewallfirewalladdrulename="NFS Shares allow TCP/UDP port $($_)"dir=INaction=ALLOWprotocol=TCP,UDPlocalport=$($_)}
Check current port settings
to determine what ports the statd and nlockmgr daemons use on the
client. Make note of them for later use.
Enter a Name for the firewall rule.
This name must be unique for the project.
Specify the Network in which you want to implement the firewall rule.
Specify the Priority of the rule.
If this rule doesn't conflict with any other rules, you can leave the default
of 1000. If an existing ingress rule has Action on match: Deny set for
the same IP address range, protocols, and ports, then set a lower priority
than the existing ingress rule.
Choose Ingress for Direction of traffic.
Choose Allow for Action on match.
For Targets, take one of the following actions:
If you want to allow traffic to all clients in the network from
Filestore instances, choose All instances in the network.
If you want to allow traffic to specific clients from
Filestore instances, choose Specified target tags. Type
the instance names of the clients in Target tags.
Leave the default value of IP ranges for Source filter.
For Source IP ranges, enter the IP address ranges of the Filestore
instances you want to allow access from in CIDR notation. You can enter the
internal IP address ranges
that you are using with your Filestore instances to enable all
Filestore traffic. You can also enter the IP addresses of
specific Filestore instances.
Leave the default value of None for Second source filter.
For Protocols and ports, choose Specified protocols and ports and
then:
Select the tcp checkbox and enter
111,STATDOPTS,nlm_tcpport
in the associated field, where:
STATDOPTS is the port used by the statd daemon on the
client.
nlm_tcpport is the tcp port used by the nlockmgr daemon
on the client.
Select the udp checkbox and enter the value of nlm_udpport, which
is the udp port used by nlockmgr. Note that these specifications
apply to the following service tiers
only:
Zonal
Regional
Enterprise
Choose Create.
Create a firewall egress rule
Use the following procedure to create a firewall rule to
enable traffic to Filestore instances.
Before you begin, verify the following:
Windows
Confirm that the client is allowed to communicate with the Filestore
instance and that the local firewall is not blocking the required ports.
To open all required NFS ports, run the following command in PowerShell:
'111','2046','2049','2050','4045'|%{C:\Windows\system32\netsh.exeadvfirewallfirewalladdrulename="NFS Shares allow TCP/UDP port $($_)"dir=OUTaction=ALLOWprotocol=TCP,UDPlocalport=$($_)}
Enter a Name for the firewall rule.
This name must be unique for the project.
Specify the Network in which you want to implement the firewall rule.
Specify the Priority of the rule.
If this rule doesn't conflict with any other rules, you can leave the default
of 1000. If an existing egress rule has Action on match: Deny set for
the same IP address range, protocols, and ports, then set a lower priority
than the existing ingress rule.
Choose Egress for Direction of traffic.
Choose Allow for Action on match.
For Targets, take one of the following actions:
If you want to allow traffic from all clients in the network to
Filestore instances, choose All instances in the network.
If you want to allow traffic from specific clients to
Filestore instances, choose Specified target tags. Type
the instance names of the clients in Target tags.
For Destination IP ranges, enter the IP address ranges of the Filestore
instances you want to allow access to in CIDR notation. You can enter the
internal IP address ranges
that you are using with your Filestore instances to enable
traffic to all Filestore instances. You can also enter the IP
addresses of specific Filestore instances.
For Protocols and ports, choose Specified protocols and ports. Then
select the tcp checkbox and enter 111,2046,2049,2050,4045 in the
associated field.
Choose Create.
Verify NFS ports
We recommend verifying whether your NFS ports have been opened properly. For
more information, see Configure NFS ports on client VMs.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eFirewall ingress rules are necessary when using NFS file locking and the VPC network blocks TCP port 111 or the ports used by the \u003ccode\u003estatd\u003c/code\u003e or \u003ccode\u003enlockmgr\u003c/code\u003e daemons.\u003c/p\u003e\n"],["\u003cp\u003eFirewall egress rules are needed if the VPC network has a rule that blocks traffic to TCP ports 111, 2046, 2049, 2050, or 4045 from clients to the IP address ranges of Filestore instances.\u003c/p\u003e\n"],["\u003cp\u003eTo create an ingress firewall rule, specify the Filestore instance IP ranges as the source, and include TCP port 111, the \u003ccode\u003estatd\u003c/code\u003e port, and the \u003ccode\u003enlockmgr\u003c/code\u003e ports.\u003c/p\u003e\n"],["\u003cp\u003eTo create an egress firewall rule, specify the Filestore instance IP ranges as the destination, and include TCP ports 111, 2046, 2049, 2050, and 4045.\u003c/p\u003e\n"],["\u003cp\u003eIt is recommended to verify that the NFS ports have been opened correctly for proper communication.\u003c/p\u003e\n"]]],[],null,["# Configure firewall rules\n\nThis page explains when you must configure firewall rules to enable NFS file\nlocking.\n\nConditions that require firewall ingress rule configuration\n-----------------------------------------------------------\n\nYou must create a firewall ingress rule to enable traffic from\nFilestore instances to your clients if:\n\n- You are using NFS file locking in the applications accessing the Filestore instance.\n- The VPC network you are using has firewall rules that block TCP port 111\n or the ports used by the `statd` or `nlockmgr` daemons. To determine what\n ports the `statd` and `nlockmgr` daemons use on the client,\n [check current port settings](/filestore/docs/setting-nfs-ports#checking-ports).\n\n If the `statd` and `nlockmgr` ports aren't set, and you think you might need\n to configure firewall rules at any point, we strongly recommend setting those\n ports consistently on all client VM instances. For more information, see\n [Setting NFS ports](/filestore/docs/setting-nfs-ports).\n\nConditions that require firewall egress rule configuration\n----------------------------------------------------------\n\nYou must create a firewall egress rule to enable traffic from your clients to\nyour Filestore instances if:\n\n- The VPC network you're using has a firewall egress rule for the IP address ranges used by your Filestore instances.\n- The firewall egress rule blocks traffic to TCP ports 111, 2046, 2049, 2050, or 4045.\n\nYou can get the reserved IP address range for any Filestore\ninstance from\n[the Filestore instances page](https://console.cloud.google.com/filestore/instances)\nor by running `gcloud filestore instances describe`. For more information, see\n[Get information about a specific instance](/filestore/docs/getting-instance-information#get-instance).\n\nFor more information about VPC network firewall rules, see\n[Using Firewall Rules](/vpc/docs/using-firewalls).\n\nCreate a firewall ingress rule\n------------------------------\n\nUse the following procedure to create a firewall rule to enable traffic from\nFilestore instances.\n\n1. Before you begin, verify the following:\n\n ### Windows\n\n 1. Confirm that the client is allowed to communicate with the Filestore\n instance and that the local firewall is not blocking the required ports.\n To open all required NFS ports, run the following command in PowerShell:\n\n '111','2046','2049','2050','4045' | % {\n C:\\Windows\\system32\\netsh.exe advfirewall firewall add rule name=\"NFS Shares allow TCP/UDP port $($_)\" dir=IN action=ALLOW protocol=TCP,UDP localport=$($_)\n }\n\n 2. [Check current port settings](/filestore/docs/setting-nfs-ports#current-ports)\n to determine what ports the `statd` and `nlockmgr` daemons use on the\n client. Make note of them for later use.\n\n ### Linux\n\n No prerequisites for completing this task.\n\n ### MacOS\n\n No prerequisites for completing this task.\n2. Go to the **Firewall** page in the Google Cloud console. \n\n [Go to the Firewall page](https://console.cloud.google.com/networking/firewalls/list)\n\n3. Click **Create firewall rule**.\n\n4. Enter a **Name** for the firewall rule.\n This name must be unique for the project.\n\n5. Specify the **Network** in which you want to implement the firewall rule.\n\n6. Specify the **Priority** of the rule.\n\n If this rule doesn't conflict with any other rules, you can leave the default\n of `1000`. If an existing ingress rule has **Action on match: Deny** set for\n the same IP address range, protocols, and ports, then set a lower priority\n than the existing ingress rule.\n7. Choose **Ingress** for **Direction of traffic**.\n\n8. Choose **Allow** for **Action on match**.\n\n9. For **Targets**, take one of the following actions:\n\n - If you want to allow traffic to all clients in the network from Filestore instances, choose **All instances in the network**.\n - If you want to allow traffic to specific clients from Filestore instances, choose **Specified target tags** . Type the instance names of the clients in **Target tags**.\n10. Leave the default value of **IP ranges** for **Source filter**.\n\n11. For **Source IP ranges** , enter the IP address ranges of the Filestore\n instances you want to allow access from in CIDR notation. You can enter the\n [internal IP address ranges](https://www.arin.net/knowledge/address_filters.html)\n that you are using with your Filestore instances to enable all\n Filestore traffic. You can also enter the IP addresses of\n specific Filestore instances.\n\n12. Leave the default value of **None** for **Second source filter**.\n\n13. For **Protocols and ports** , choose **Specified protocols and ports** and\n then:\n\n - Select the **tcp** checkbox and enter `111,`\u003cvar translate=\"no\"\u003eSTATDOPTS\u003c/var\u003e`,`\u003cvar translate=\"no\"\u003enlm_tcpport\u003c/var\u003e in the associated field, where:\n - \u003cvar translate=\"no\"\u003eSTATDOPTS\u003c/var\u003e is the port used by the `statd` daemon on the client.\n - \u003cvar translate=\"no\"\u003enlm_tcpport\u003c/var\u003e is the `tcp` port used by the `nlockmgr` daemon on the client.\n - Select the **udp** checkbox and enter the value of `nlm_udpport`, which is the `udp` port used by `nlockmgr`. Note that these specifications apply to the following [service tiers](/filestore/docs/service-tiers) only:\n - Zonal\n - Regional\n - Enterprise\n14. Choose **Create**.\n\nCreate a firewall egress rule\n-----------------------------\n\nUse the following procedure to create a firewall rule to\nenable traffic to Filestore instances.\n\n1. Before you begin, verify the following:\n\n ### Windows\n\n Confirm that the client is allowed to communicate with the Filestore\n instance and that the local firewall is not blocking the required ports.\n To open all required NFS ports, run the following command in PowerShell: \n\n '111','2046','2049','2050','4045' | % {\n C:\\Windows\\system32\\netsh.exe advfirewall firewall add rule name=\"NFS Shares allow TCP/UDP port $($_)\" dir=OUT action=ALLOW protocol=TCP,UDP localport=$($_)\n }\n\n ### Linux\n\n No prerequisites for completing this task.\n\n ### MacOS\n\n No prerequisites for completing this task.\n2. Go to the **Firewall** page in the Google Cloud console. \n\n [Go to the Firewall page](https://console.cloud.google.com/networking/firewalls/list)\n\n3. Click **Create firewall rule**.\n\n4. Enter a **Name** for the firewall rule.\n This name must be unique for the project.\n\n5. Specify the **Network** in which you want to implement the firewall rule.\n\n6. Specify the **Priority** of the rule.\n\n If this rule doesn't conflict with any other rules, you can leave the default\n of `1000`. If an existing egress rule has **Action on match: Deny** set for\n the same IP address range, protocols, and ports, then set a lower priority\n than the existing ingress rule.\n7. Choose **Egress** for **Direction of traffic**.\n\n8. Choose **Allow** for **Action on match**.\n\n9. For **Targets**, take one of the following actions:\n\n - If you want to allow traffic from all clients in the network to Filestore instances, choose **All instances in the network**.\n - If you want to allow traffic from specific clients to Filestore instances, choose **Specified target tags** . Type the instance names of the clients in **Target tags**.\n10. For **Destination IP ranges** , enter the IP address ranges of the Filestore\n instances you want to allow access to in CIDR notation. You can enter the\n [internal IP address ranges](https://www.arin.net/knowledge/address_filters.html)\n that you are using with your Filestore instances to enable\n traffic to all Filestore instances. You can also enter the IP\n addresses of specific Filestore instances.\n\n11. For **Protocols and ports** , choose **Specified protocols and ports** . Then\n select the **tcp** checkbox and enter `111,2046,2049,2050,4045` in the\n associated field.\n\n12. Choose **Create**.\n\nVerify NFS ports\n----------------\n\nWe recommend verifying whether your NFS ports have been opened properly. For\nmore information, see [Configure NFS ports on client VMs](/filestore/docs/setting-nfs-ports#verify-ports).\n\nWhat's next\n-----------\n\n- [Learn more about the networking and IP resource requirements for using\n Filestore](/filestore/docs/networking).\n- [Configure NFS ports on client VMs](/filestore/docs/setting-nfs-ports)."]]
