It's easy to configure the port options for the statd and mountd RPC services, thanks to the use of /etc/default/* by the init-scripts.
File /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"
File /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 32767"
The NFS daemon (rpc.nfsd or just nfsd) will listen on port 2049 by default if no port is specified.
Create a /etc/modprobe.d/nfs-local.conf file to provide the lockd module with options.
options lockd nlm_udpport=32768 nlm_tcpport=32768 options nfs callback_tcpport=32764
It is possible to then open the following ports in the firewall.
UDP 111 TCP 111 UDP 2049 TCP 2049 UDP 32764:32768 TCP 32764:32768