Port 635: Mountd — The NFS Gatekeeper

Port 635 carries mountd, the NFS mount daemon that controls access to network file systems.

When you try to mount a remote directory over NFS, you're not just asking for files—you're asking for permission. Port 635 is where that permission gets granted or denied.

What Mountd Does

The mount daemon (rpc.mountd) implements the server side of the NFS MOUNT protocol, used by NFSv2 and NFSv3.¹ It serves one critical function: access control.

Before a client can mount a remote file system, mountd checks two things:

1. The pathname of the export being requested
2. The IP address making the request

It compares these against its access control lists. If the client is permitted, mountd grants the mount. If not, the request is denied.²

This happens before any file access occurs. Mountd is the bouncer at the door—if you don't get past port 635, you never see the files.

How It Works with NFS

In NFSv2 and NFSv3, port 635 is a static assignment for mountd communication over both TCP and UDP.³ This is different from many RPC services that use dynamic port assignment through the portmapper.

The typical NFS mount sequence:

1. Client contacts portmapper to find NFS services
2. Client sends mount request to mountd on port 635
3. Mountd checks access control lists
4. If permitted, mountd returns a file handle
5. Client uses that handle to access files via the main NFS service (port 2049)

Without mountd, there's no controlled access—just an open file system exposed to the network.

NFSv4 Changed This

NFSv4 eliminated the need for mountd entirely. The protocol was redesigned to handle authentication and mounting through the main NFS port (2049), removing the complexity of separate mount daemons and portmapper lookups.

This means port 635 is primarily relevant for older NFS implementations. If you're running NFSv3 or earlier, mountd is essential. If you've migrated to NFSv4, this port sits unused.

Security Considerations

Port 635 makes access decisions based on IP addresses, which can be spoofed. Modern NFS deployments should:

• Use Kerberos authentication instead of relying solely on IP-based access control
• Implement firewall rules that restrict port 635 to trusted networks
• Migrate to NFSv4, which has stronger built-in security mechanisms

Exposing port 635 to the Internet is dangerous—it's designed for trusted local networks, not hostile environments.

Checking What's Listening

To see if mountd is running on your system:

# Check if port 635 is listening
sudo lsof -i :635

# Check mountd status (Linux)
sudo systemctl status nfs-mountd

# View active NFS exports
showmount -e localhost

Related Ports

• Port 111 — Portmapper (rpcbind), used to discover NFS service ports
• Port 2049 — NFS, the main file sharing protocol
• Port 4045 — NFS Lock Manager (lockd), handles file locking

Why This Port Matters

Port 635 exists because trust needs verification. Before you can access someone's file system, someone has to check your credentials. In NFSv2 and NFSv3, that someone is mountd.

The port represents a design philosophy: separate the permission check from the file access. One service decides who gets in. Another service handles the actual files. This separation makes the system easier to secure and audit.

NFSv4 proved you could do both in one protocol, but millions of systems still run older NFS versions. For them, port 635 remains the first question every mount request must answer: do you belong here?