May 2003 Linux Productivity Magazine: IPTables:
"You will see that the mountd daemon is bound to different ports every time you restart NFS. How do you accurately pinhole such as service?
There are 3 ways:
The shotgun method -- pass all TCP and UDP from 32000 to 34000
Use the NFS start script to peg it to a single port
Create an NFS restart script to first detect all mountd ports, then restart NFS, then detect all new NFS ports, then alter the firewall to accommodate the changes."