nfs v4 uses only 1 port - 2049. Open that to tcp & udp in your firewall and you're good.
nfs v3 and before are a bit more complicated. As well as the main nfs port 2049, you need to allow access to the portmapper (fixed on port 111), mountd, lockd & statd ports- and possibly also the rquotad port- and apart from portmapper they aren't fixed by default. To fix them, so you can create appropriate firewall rules, edit (in RHEL/CentOS/ScientficLinux) /etc/sysconfig/nfs and add/modify these lines. The actual ports you use are pretty arbitrary:
RQUOTAD_PORT=762
LOCKD_TCPPORT=890
LOCKD_UDPPORT=890
MOUNTD_PORT=892
STATD_PORT=891
Restart nfs & nfslock, set up your firewall rules (for both tcp & udp as either can work on all protocols) and that should be that - except that lockd is implemented as a kernel thread. The LOCKD variables above cause writes to /proc/sys/fs/nfs/nlm_tcpport & /proc/sys/fs/nfs/nlm_udpport in /etc/init.d/nfs and /etc/init.d/nfslock but these don't seem to have any effect.
Alternatively, the debian handbook https://debian-handbook.info/browse/stable/sect.nfs-file-server.html suggests creating a modprobe file:
Example 11.24: The /etc/modprobe.d/lockd file
options lockd nlm_udpport=2045 nlm_tcpport=2045
Either way it seems you basically need to reboot to get it to work.
You can check your nfsports with rpcinfo -p which will also tell you which NFS versions and which IP protocols they are using. You can also run rpcinfo for a remote server to check that's all working - rpcinfo -p <servername>.
