At 02:38 AM 5/15/2009, Frank Steiner wrote: >Tom Talpey wrote > >> The very best solution, by the way, would be to use NFSv4. It has no >> side protocols, and therefore no UDP issue. It does have a callback >> connection from the server to the client, but is done with TCP and is >> configurable. > >I've indeed switched our through-firewall-nfsservers to NFSv4 and >the problems are gone. Thanks a lot for pointing me there! >I only open port 2049/tcp and everything works. Great! If you want the full NFSv4 benefit, you'll also need to enable delegation callbacks, which requires a TCP port in the other direction. This port is chosen by the client, but the server makes the connection, so you'll need to configure it in both the client and the firewall. The port is set by an NFS sysctl parameter named "nfs_callback_tcpport", which by default is 0 (any). You'll need to set it to some value with sysctl -w fs.nfs.nfs_callback_tcpport = <value> and also in your firewall from the server->client. The range is 0 to 65535, you can choose any convenient unused value (e.g. 2050). BTW when NFSv4.1 is in use, this reverse connection will no longer occur. But that's a ways off in the distribution kernels. >However, I still see blocked connections on the firewall, coming from >the NFS client to the NFS server: >...PROTO=TCP SPT=55598 DPT=111... >rpcinfo tells me the portmapper is running at port 111 (udp and tcp). > >I didn't find a clear statement when googling if that should happen >with NFSv4 or not. It doesn't seem to block the NFS share in any way, >at least as far as I can see. It could be any number of things, but probably harmless and properly ignored for NFSv4. I will guess it's something to do with the SLES11 client and other daemons. Can you capture a trace of these messages with wireshark? The contents of the portmapper request the client is sending will tell us exactly what services it's trying to resolve. Alternatively you could turn on kernel portmap debug and watch the log. I'm not sure if SLES11 has the "rpcdebug" command installed, but if so, on the client you could try rpcdebug -m rpc -s bind then watch the syslog. >I wouldn't mind to open tcp port 111 to the NFS server. I'm just curios >if that behaviour is correct or not with NFSv4. It's not part of NFSv4. But it could be a side effect of the client NFS implementation, which also supports v2 and v3 plus NSM, NLM, etc etc. Tom. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ NFS maillist - NFS@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/nfs _______________________________________________ Please note that nfs@xxxxxxxxxxxxxxxxxxxxx is being discontinued. Please subscribe to linux-nfs@xxxxxxxxxxxxxxx instead. http://vger.kernel.org/vger-lists.html#linux-nfs -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
