How NFS Works
NFS uses a client-server model. The NFS server exports directories from its filesystem, making them available to clients on the network. An NFS client mounts the exported directory, which then appears as a local path. All file operations (read, write, create, delete, stat) are transparently sent over the network to the NFS server, which performs them on the underlying filesystem and returns results.
NFSv3 uses UDP (or optionally TCP) and stateless operation — the server does not track which clients have files open. This makes recovery from server restarts simple but limits file locking capabilities. NFSv4 is TCP-only and stateful, supporting better file locking, delegation (the server delegates read/write rights to a client for better performance), and Kerberos authentication.
NFSv3 vs NFSv4
NFSv3: Stateless, uses multiple ports (requires portmapper, mountd, nfsd, lockd, statd — making firewall rules complex). Authentication is IP-based — any machine at a permitted IP can mount the share. No built-in encryption. Fast and simple to configure. Still widely used, especially for trusted LAN environments.
NFSv4: Stateful, uses only TCP port 2049 (making firewall rules simple). Supports Kerberos for strong authentication (AUTH_GSS). Better file locking semantics with lease-based locks. ACL support compatible with Windows/NFSv4 ACL model. Supports delegation for read/write performance optimization. NFSv4.1 added pNFS (parallel NFS) for striped access across multiple servers. Use NFSv4 for new setups; it is the default in modern Linux distributions.
NFS Security Considerations
NFSv3 security relies on trusting IP addresses. A client at an allowed IP can mount shares. Because NFS mounts often run as root on the client, a root squash option maps root access to an unprivileged user (nobody) on the server side — preventing a root user on the client from modifying files they should not own on the server. Always enable root_squash on exports accessible from machines you do not fully trust.
NFSv4 with Kerberos (sec=krb5, krb5i for integrity, or krb5p for encryption) provides proper user authentication and optionally encrypted transmission. For a homelab where client machines are fully trusted VMs you control, NFSv4 without Kerberos (sec=sys, IP-based auth) is acceptable. For access from untrusted segments, krb5p encryption is appropriate.
NFSv3 vs NFSv4 Comparison
| Feature | NFSv3 | NFSv4 | NFSv4.1 |
|---|---|---|---|
| Protocol | UDP or TCP (multiple ports) | TCP only (port 2049) | TCP only (port 2049) |
| State | Stateless | Stateful | Stateful |
| Authentication | IP-based (host trust) | IP-based or Kerberos (AUTH_GSS) | IP-based or Kerberos |
| Encryption | None built-in | With Kerberos (krb5p) | With Kerberos (krb5p) |
| File locking | External (lockd daemon) | Built-in (lease-based) | Built-in |
| ACL model | POSIX only | NFSv4 ACLs (Windows compatible) | NFSv4 ACLs |
| Delegation | No | Yes | Yes |
| Firewall complexity | High (multiple ports) | Low (single port 2049) | Low |
| Best for | Legacy systems, simple LAN | Modern Linux/NAS setups | Scale-out storage, pNFS |
Frequently Asked Questions
How do I export an NFS share on Linux?
Edit /etc/exports on the NFS server: /mnt/data 192.168.20.0/24(rw,sync,no_subtree_check,root_squash). Then run exportfs -ra to apply the new export and systemctl restart nfs-server to reload. The subnet 192.168.20.0/24 restricts access to clients in that IP range. The sync option writes data to disk before replying (safer; slightly slower). no_subtree_check improves reliability when files in subdirectories are exported.
How do I mount an NFS share permanently in Linux?
Add an entry to /etc/fstab: 192.168.20.10:/mnt/data /mnt/nas nfs4 defaults,_netdev,nofail 0 0. The _netdev option delays the mount until networking is available. nofail prevents the system from halting at boot if the NFS server is unavailable. Run mount -a to test the fstab entry without rebooting.
Can I use NFS with Proxmox?
Yes. Proxmox supports NFS as a storage backend for ISOs, disk images, and VM backups. In the Proxmox web UI: Datacenter → Storage → Add → NFS. Enter the NFS server IP, the export path, and select which content types this storage handles. Proxmox uses NFSv4 by default. For VM disk images (qcow2, raw), the NFS share must support file locking — use NFSv4 with Proxmox.
Is NFS faster than SMB?
On Linux-to-Linux connections, NFS is generally faster than SMB for large sequential transfers because it has lower protocol overhead. SMB3 with multichannel can match or exceed NFS performance on multi-NIC setups. For practical home network speeds (gigabit Ethernet), both protocols saturate the ~120 MB/s link — the difference is only measurable on 10GbE connections or with many small files where NFS's lower per-operation overhead matters.