On 8/28/19 6:06 PM, Tom H wrote:
On Wed, Aug 28, 2019 at 9:21 AM Ed Greshko ed.greshko@greshko.com wrote:
[root@f30-k ~]# firewall-cmd --zone=home --add-port=111/udp --permanent [root@f30-k ~]# firewall-cmd --zone=home --add-port=20048/udp --permanent
Is there a reason why you don't want to enable "111/tcp" and 200048/tcp" as "--add-service=rpc-bind" and "--add-service=mountd" would?
I could understand adding "111/tcp" only in an nfsv4-only setup because nfsv4 is "limited" to tcp, so it makes sense to try use only tcp.
A couple of things. My age/background has me thinking more in "ports" than "services". I've not had any issues in a NFSv4 only environment with defining 111/udp and 20048/udp only. That too is probably an artifact of my background.
[mountd's not needed on the network in an nfsv4-only setup because "showmount ..." doesn't work in such a setup]
Not sure that is entirely true.
On the server....
[root@f30-k ~]# grep vers /etc/nfs.conf # reverse-lookup=n # vers2=n vers3=n # vers4=y # vers4.0=y # vers4.1=y # vers4.2=y
Yet on the client....
[egreshko@meimei ~]$ showmount -e f30k Export list for f30k: /home 192.168.1.0/24,2001:B030:112F:0000::/56
And the current testing system has this....
[root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns nfs samba-client ssh ports: 111/udp 20048/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
And, FWIW, removing 20048/udp results in
[egreshko@meimei ~]$ showmount -e f30k rpc mount export: RPC: Timed out
But, just now, I did find a good reason for adding 111/tcp and 20048/tcp as without them I get
[egreshko@meimei ~]$ rpcinfo -p f30k f30k: RPC: Remote system error - Permission denied
And with them it is OK.
[egreshko@meimei ~]$ rpcinfo -p f30k program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 50178 status 100024 1 tcp 59315 status 100005 1 udp 20048 mountd 100005 1 tcp 20048 mountd 100005 2 udp 20048 mountd 100005 2 tcp 20048 mountd 100003 4 tcp 2049 nfs
So, yes, I will need to adjust my thinking a bit and think more "services" than "ports". :-)
And remember to configure this way....
[root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns mountd nfs rpc-bind samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: