On 8/28/19 6:06 PM, Tom H wrote: > On Wed, Aug 28, 2019 at 9:21 AM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: > >> [root@f30-k ~]# firewall-cmd --zone=home --add-port=111/udp --permanent >> [root@f30-k ~]# firewall-cmd --zone=home --add-port=20048/udp --permanent > Is there a reason why you don't want to enable "111/tcp" and > 200048/tcp" as "--add-service=rpc-bind" and "--add-service=mountd" > would? > > I could understand adding "111/tcp" only in an nfsv4-only setup > because nfsv4 is "limited" to tcp, so it makes sense to try use only > tcp. A couple of things. My age/background has me thinking more in "ports" than "services". I've not had any issues in a NFSv4 only environment with defining 111/udp and 20048/udp only. That too is probably an artifact of my background. > [mountd's not needed on the network in an nfsv4-only setup because > "showmount ..." doesn't work in such a setup] > Not sure that is entirely true. On the server.... [root@f30-k ~]# grep vers /etc/nfs.conf # reverse-lookup=n # vers2=n vers3=n # vers4=y # vers4.0=y # vers4.1=y # vers4.2=y Yet on the client.... [egreshko@meimei ~]$ showmount -e f30k Export list for f30k: /home 192.168.1.0/24,2001:B030:112F:0000::/56 And the current testing system has this.... [root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns nfs samba-client ssh ports: 111/udp 20048/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: And, FWIW, removing 20048/udp results in [egreshko@meimei ~]$ showmount -e f30k rpc mount export: RPC: Timed out But, just now, I did find a good reason for adding 111/tcp and 20048/tcp as without them I get [egreshko@meimei ~]$ rpcinfo -p f30k f30k: RPC: Remote system error - Permission denied And with them it is OK. [egreshko@meimei ~]$ rpcinfo -p f30k program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 50178 status 100024 1 tcp 59315 status 100005 1 udp 20048 mountd 100005 1 tcp 20048 mountd 100005 2 udp 20048 mountd 100005 2 tcp 20048 mountd 100003 4 tcp 2049 nfs So, yes, I will need to adjust my thinking a bit and think more "services" than "ports". :-) And remember to configure this way.... [root@f30-k ~]# firewall-cmd --info-zone=home home (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mdns mountd nfs rpc-bind samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: -- If simple questions can be answered with a simple google query then why are there so many of them? _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
