On Wed, Aug 28, 2019 at 12:36 PM Ed Greshko <ed.greshko(a)greshko.com> wrote:
On 8/28/19 6:06 PM, Tom H wrote:
> On Wed, Aug 28, 2019 at 9:21 AM Ed Greshko <ed.greshko(a)greshko.com> wrote:
>> [root@f30-k ~]# firewall-cmd --zone=home --add-port=111/udp
--permanent
>> [root@f30-k ~]# firewall-cmd --zone=home --add-port=20048/udp --permanent
>
> Is there a reason why you don't want to enable "111/tcp" and
> 200048/tcp" as "--add-service=rpc-bind" and
"--add-service=mountd"
> would?
>
> I could understand adding "111/tcp" only in an nfsv4-only setup
> because nfsv4 is "limited" to tcp, so it makes sense to try use
> only tcp.
A couple of things. My age/background has me thinking more in
"ports" than "services".
Same here. I don't use firewalld or ufw, but I've learned how they
work with "services" out of curiosity (and because I've worked on
servers that've used them). But I prefer "ports".
I've not had any issues in a NFSv4 only environment with
defining
111/udp and 20048/udp only. That too is probably an artifact of my
background.
You must've had nfsv3 running too because nfsv4 is tcp-only.
> [mountd's not needed on the network in an nfsv4-only setup
because
> "showmount ..." doesn't work in such a setup]
Not sure that is entirely true.
On the server....
[root@f30-k ~]# grep vers /etc/nfs.conf
# reverse-lookup=n
# vers2=n
vers3=n
# vers4=y
# vers4.0=y
# vers4.1=y
# vers4.2=y
Yet on the client....
[egreshko@meimei ~]$ showmount -e f30k
Export list for f30k:
/home 192.168.1.0/24,2001:B030:112F:0000::/56
And the current testing system has this....
[root@f30-k ~]# firewall-cmd --info-zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: enp0s8
sources:
services: dhcpv6-client mdns nfs samba-client ssh
ports: 111/udp 20048/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
And, FWIW, removing 20048/udp results in
[egreshko@meimei ~]$ showmount -e f30k
rpc mount export: RPC: Timed out
But, just now, I did find a good reason for adding 111/tcp and 20048/tcp as without them
I get
[egreshko@meimei ~]$ rpcinfo -p f30k
f30k: RPC: Remote system error - Permission denied
And with them it is OK.
[egreshko@meimei ~]$ rpcinfo -p f30k
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 50178 status
100024 1 tcp 59315 status
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100003 4 tcp 2049 nfs
So, yes, I will need to adjust my thinking a bit and think more "services" than
"ports". :-)
On an nfsv4-only system with its iptables rules flushed. "showmount
..." doesn't even work locally (because it needs "rpc.mountd").
# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# rpcinfo -s
program version(s) netid(s) service owner
100000 2,3,4 local,udp,tcp,udp6,tcp6 portmapper superuser
100003 4 tcp6,tcp nfs superuser
# cat /etc/exports
/srv 192.168.0.0/24(rw,sync,no_root_squash)
# exportfs
/srv 192.168.0.0/24
# cat /var/lib/nfs/etab
/srv
192.168.0.0/24(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,rw,secure,no_root_squash,no_all_squash)
# showmount -e
clnt_create: RPC: Program not registered
# mount 192.168.0.127:/srv /mnt
# findmnt /mnt
TARGET SOURCE FSTYPE OPTIONS
/mnt 192.168.0.127:/srv nfs4
rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.127,local_lock=none,addr=192.168.0.127
# cat /var/lib/nfs/rmtab
# showmount -d
clnt_create: RPC: Program not registered
#
And remember to configure this way....
[root@f30-k ~]# firewall-cmd --info-zone=home
home (active)
target: default
icmp-block-inversion: no
interfaces: enp0s8
sources:
services: dhcpv6-client mdns mountd nfs rpc-bind samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Short of not changing the zones that are supplied with firewalld and
adding a custom zone for enabling nfs or other network services :)