On 11/17/19 9:42 PM, Patrick O'Callaghan wrote:
On Sun, 2019-11-17 at 08:48 +0800, Ed Greshko wrote:
> On 11/17/19 8:35 AM, Ed Greshko wrote:
>> On 11/17/19 2:48 AM, Patrick O'Callaghan wrote:
>>> But from the guest:
>>> [poc@fedora30 ~]$ showmount -e bree
>>> clnt_create: RPC: Unable to receive
>>>
>>> What am I missing?
>> OK, I put up an nfs server on the host and get the same error.
>>
>> If I disable the firewall on the host, it succeeds.
>>
>> Strangely, looking at wireshark output it seems port 111 is unreachable. Even if
I explicitly enable that port
>> the problem persists.
>>
> OK, I fixed it....
>
> I put the interface virbr0 in the FW zone libvirt.
>
> On the host...
>
> [root@meimei ~]# firewall-cmd --list-all --zone=libvirt
> libvirt (active)
> target: ACCEPT
> icmp-block-inversion: no
> interfaces: virbr0
> sources:
> services: dhcp dhcpv6 dns mountd nfs nfs3 rpc-bind ssh tftp
> ports:
> protocols: icmp ipv6-icmp
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule priority="32767" reject
That did it. In fact virbr0 was already in the libvirt zone, but the
various NFS services were not installed there.
This stuff is definitely not obvious. Note that you have to repeat the
service additions with the --permanent flag or it will all be lost on
the next reboot.
Thanks Ed.
Welcome. In the process I learned that "firewall-cmd --get-active-zones" would
have
shown the missing information sooner and I would have edited the correct zone. :-)
--
The key to getting good answers is to ask good questions.