Re: NFS and Firewalld -

Tom H <tomh0665@xxxxxxxxx> · Wed, 28 Aug 2019 14:09:48 +0200

On Wed, Aug 28, 2019 at 12:36 PM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:
> On 8/28/19 6:06 PM, Tom H wrote:
>> On Wed, Aug 28, 2019 at 9:21 AM Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:

>>> [root@f30-k ~]# firewall-cmd --zone=home --add-port=111/udp --permanent
>>> [root@f30-k ~]# firewall-cmd --zone=home --add-port=20048/udp --permanent
>>
>> Is there a reason why you don't want to enable "111/tcp" and
>> 200048/tcp" as "--add-service=rpc-bind" and "--add-service=mountd"
>> would?
>>
>> I could understand adding "111/tcp" only in an nfsv4-only setup
>> because nfsv4 is "limited" to tcp, so it makes sense to try use
>> only tcp.
>
> A couple of things. My age/background has me thinking more in
> "ports" than "services".

Same here. I don't use firewalld or ufw, but I've learned how they
work with "services" out of curiosity (and because I've worked on
servers that've used them). But I prefer "ports".

> I've not had any issues in a NFSv4 only environment with defining
> 111/udp and 20048/udp only. That too is probably an artifact of my
> background.

You must've had nfsv3 running too because nfsv4 is tcp-only.

>> [mountd's not needed on the network in an nfsv4-only setup because
>> "showmount ..." doesn't work in such a setup]
>
> Not sure that is entirely true.
>
> On the server....
>
> [root@f30-k ~]# grep vers /etc/nfs.conf
> # reverse-lookup=n
> # vers2=n
> vers3=n
> # vers4=y
> # vers4.0=y
> # vers4.1=y
> # vers4.2=y
>
> Yet on the client....
>
> [egreshko@meimei ~]$ showmount -e f30k
> Export list for f30k:
> /home 192.168.1.0/24,2001:B030:112F:0000::/56
>
> And the current testing system has this....
>
> [root@f30-k ~]# firewall-cmd --info-zone=home
> home (active)
>   target: default
>   icmp-block-inversion: no
>   interfaces: enp0s8
>   sources:
>   services: dhcpv6-client mdns nfs samba-client ssh
>   ports: 111/udp 20048/udp
>   protocols:
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:
>
> And, FWIW, removing 20048/udp results in
>
> [egreshko@meimei ~]$ showmount -e f30k
> rpc mount export: RPC: Timed out
>
> But, just now, I did find a good reason for adding 111/tcp and 20048/tcp as without them I get
>
> [egreshko@meimei ~]$ rpcinfo -p f30k
> f30k: RPC: Remote system error - Permission denied
>
> And with them it is OK.
>
> [egreshko@meimei ~]$ rpcinfo -p f30k
>    program vers proto   port  service
>     100000    4   tcp    111  portmapper
>     100000    3   tcp    111  portmapper
>     100000    2   tcp    111  portmapper
>     100000    4   udp    111  portmapper
>     100000    3   udp    111  portmapper
>     100000    2   udp    111  portmapper
>     100024    1   udp  50178  status
>     100024    1   tcp  59315  status
>     100005    1   udp  20048  mountd
>     100005    1   tcp  20048  mountd
>     100005    2   udp  20048  mountd
>     100005    2   tcp  20048  mountd
>     100003    4   tcp   2049  nfs
>
> So, yes, I will need to adjust my thinking a bit and think more "services" than "ports". :-)

On an nfsv4-only system with its iptables rules flushed. "showmount
..." doesn't even work locally (because it needs "rpc.mountd").

# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# rpcinfo -s
   program version(s) netid(s)                         service     owner
    100000  2,3,4     local,udp,tcp,udp6,tcp6          portmapper  superuser
    100003  4         tcp6,tcp                         nfs         superuser

# cat /etc/exports
/srv    192.168.0.0/24(rw,sync,no_root_squash)

# exportfs
/srv              192.168.0.0/24

# cat /var/lib/nfs/etab
/srv    192.168.0.0/24(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,rw,secure,no_root_squash,no_all_squash)

# showmount -e
clnt_create: RPC: Program not registered

# mount 192.168.0.127:/srv /mnt

# findmnt /mnt
TARGET SOURCE             FSTYPE OPTIONS
/mnt   192.168.0.127:/srv nfs4
rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.0.127,local_lock=none,addr=192.168.0.127

# cat /var/lib/nfs/rmtab

# showmount -d
clnt_create: RPC: Program not registered

#

> And remember to configure this way....
>
> [root@f30-k ~]# firewall-cmd --info-zone=home
> home (active)
>   target: default
>   icmp-block-inversion: no
>   interfaces: enp0s8
>   sources:
>   services: dhcpv6-client mdns mountd nfs rpc-bind samba-client ssh
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:

Short of not changing the zones that are supplied with firewalld and
adding a custom zone for enabling nfs or other network services :)
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx