On Wed, Aug 28, 2019 at 12:36 PM Ed Greshko ed.greshko@greshko.com wrote:
On 8/28/19 6:06 PM, Tom H wrote:
On Wed, Aug 28, 2019 at 9:21 AM Ed Greshko ed.greshko@greshko.com wrote:
[root@f30-k ~]# firewall-cmd --zone=home --add-port=111/udp --permanent [root@f30-k ~]# firewall-cmd --zone=home --add-port=20048/udp --permanent
Is there a reason why you don't want to enable "111/tcp" and 200048/tcp" as "--add-service=rpc-bind" and "--add-service=mountd" would?
I could understand adding "111/tcp" only in an nfsv4-only setup because nfsv4 is "limited" to tcp, so it makes sense to try use only tcp.
A couple of things. My age/background has me thinking more in "ports" than "services".
Same here. I don't use firewalld or ufw, but I've learned how they work with "services" out of curiosity (and because I've worked on servers that've used them). But I prefer "ports".
I've not had any issues in a NFSv4 only environment with defining 111/udp and 20048/udp only. That too is probably an artifact of my background.
You must've had nfsv3 running too because nfsv4 is tcp-only.
[mountd's not needed on the network in an nfsv4-only setup because "showmount ..." doesn't work in such a setup]
Not sure that is entirely true.
On the server....
[root@f30-k ~]# grep vers /etc/nfs.conf # reverse-lookup=n # vers2=n vers3=n # vers4=y # vers4.0=y # vers4.1=y # vers4.2=y
Yet on the client....
[egreshko@meimei ~]$ showmount -e f30k Export list for f30k: /home 192.168.1.0/24,2001:B030:112F:0000::/56
And the current testing system has this....
[root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns nfs samba-client ssh ports: 111/udp 20048/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
And, FWIW, removing 20048/udp results in
[egreshko@meimei ~]$ showmount -e f30k rpc mount export: RPC: Timed out
But, just now, I did find a good reason for adding 111/tcp and 20048/tcp as without them I get
[egreshko@meimei ~]$ rpcinfo -p f30k f30k: RPC: Remote system error - Permission denied
And with them it is OK.
[egreshko@meimei ~]$ rpcinfo -p f30k program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 50178 status 100024 1 tcp 59315 status 100005 1 udp 20048 mountd 100005 1 tcp 20048 mountd 100005 2 udp 20048 mountd 100005 2 tcp 20048 mountd 100003 4 tcp 2049 nfs
So, yes, I will need to adjust my thinking a bit and think more "services" than "ports". :-)
On an nfsv4-only system with its iptables rules flushed. "showmount ..." doesn't even work locally (because it needs "rpc.mountd").
# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
# rpcinfo -s program version(s) netid(s) service owner 100000 2,3,4 local,udp,tcp,udp6,tcp6 portmapper superuser 100003 4 tcp6,tcp nfs superuser
# cat /etc/exports /srv 192.168.0.0/24(rw,sync,no_root_squash)
# exportfs /srv 192.168.0.0/24
# cat /var/lib/nfs/etab /srv 192.168.0.0/24(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,rw,secure,no_root_squash,no_all_squash)
# showmount -e clnt_create: RPC: Program not registered
# mount 192.168.0.127:/srv /mnt
# findmnt /mnt TARGET SOURCE FSTYPE OPTIONS /mnt 192.168.0.127:/srv nfs4 rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.127,local_lock=none,addr=192.168.0.127
# cat /var/lib/nfs/rmtab
# showmount -d clnt_create: RPC: Program not registered
#
And remember to configure this way....
[root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns mountd nfs rpc-bind samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Short of not changing the zones that are supplied with firewalld and adding a custom zone for enabling nfs or other network services :)