PDA

View Full Version : nfs trouble



pierods
11th October 2017, 10:59 AM
I activated nfs on my machine:

showmount -e localhost
Export list for localhost:
/home/data/incoming 192.168.1.11/255.255.255.0

and added "nfs" to the firewall rules.

When trying the same from the allowed remote machine (192.168.1.11):

showmount -e 192.168.1.6
,,,errno 113 (No route to host)

if I disable the firewall on my server:

showmount -e 192.168.1.6
Export list for 192.168.1.6:
/home/data/incoming 192.168.1.11/255.255.255.0

When observing traffic, I get:

tcpdump -nn host 192.168.1.11
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:56:49.144329 IP 192.168.1.11.47233 > 192.168.1.6.111: UDP, length 56
11:56:49.144396 IP 192.168.1.6 > 192.168.1.11: ICMP host 192.168.1.6 unreachable - admin prohibited, length 92
11:56:49.146985 IP 192.168.1.11.56333 > 192.168.1.6.111: UDP, length 56
11:56:49.147019 IP 192.168.1.6 > 192.168.1.11: ICMP host 192.168.1.6 unreachable - admin prohibited, length 92

So it looks like I should allow icmp traffic - how to do that?

What's bizarre is that i can ping the client from the server, no problem:

ping 192.168.1.6
64 bytes...etc

What's wrong with my firewall config?

Thanks

HaydnH
11th October 2017, 11:13 AM
For starters, see "5. How to Block and Enable ICMP" here: https://www.tecmint.com/firewalld-rules-for-centos-7/2/

pierods
11th October 2017, 11:24 AM
Well...

firewall-cmd --zone=FedoraWorkstation --query-icmp-block=echo-reply

no


If you get ‘no‘, that means there isn’t any icmp block applied, let’s enable (block) icmp.

firewall-cmd --get-icmptypes

address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option


So if icmp is not blocked, how come packets are not going through?

Kobuck
11th October 2017, 01:35 PM
I get the same message on the client end even though my NFS setup is operating successfully. I also recall that getting NFS operational was not completely straight forward. I last set the environment up way back in F21 or so and have not had to mess with it since.


$ showmount -e bilbo
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)


I know I had "showmount" working once, but it does not seem to affect NFS operation when it isn't working.



Couple things to check:

Did you run the "exportfs" command after editing the "/etc/exports/" file on the server?

If selinux is in enforceing mode check that the desired "nfs_export" booleans are set.


# getsebool -a | less
...
nfs_export_all_ro --> on
nfs_export_all_rw --> on
...

pierods
11th October 2017, 02:11 PM
I get the same message on the client end even though my NFS setup is operating successfully. I also recall that getting NFS operational was not completely straight forward. I last set the environment up way back in F21 or so and have not had to mess with it since.


$ showmount -e bilbo
clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host)


I know I had "showmount" working once, but it does not seem to affect NFS operation when it isn't working.



Couple things to check:

Did you run the "exportfs" command after editing the "/etc/exports/" file on the server?

If selinux is in enforceing mode check that the desired "nfs_export" booleans are set.


# getsebool -a | less
...
nfs_export_all_ro --> on
nfs_export_all_rw --> on
...


tried everything - no access.

---------- Post added at 01:11 PM ---------- Previous post was at 01:10 PM ----------


I activated nfs on my machine:

showmount -e localhost
Export list for localhost:
/home/data/incoming 192.168.1.11/255.255.255.0

and added "nfs" to the firewall rules.

When trying the same from the allowed remote machine (192.168.1.11):

showmount -e 192.168.1.6
,,,errno 113 (No route to host)

if I disable the firewall on my server:

showmount -e 192.168.1.6
Export list for 192.168.1.6:
/home/data/incoming 192.168.1.11/255.255.255.0

When observing traffic, I get:

tcpdump -nn host 192.168.1.11
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:56:49.144329 IP 192.168.1.11.47233 > 192.168.1.6.111: UDP, length 56
11:56:49.144396 IP 192.168.1.6 > 192.168.1.11: ICMP host 192.168.1.6 unreachable - admin prohibited, length 92
11:56:49.146985 IP 192.168.1.11.56333 > 192.168.1.6.111: UDP, length 56
11:56:49.147019 IP 192.168.1.6 > 192.168.1.11: ICMP host 192.168.1.6 unreachable - admin prohibited, length 92

So it looks like I should allow icmp traffic - how to do that?

What's bizarre is that i can ping the client from the server, no problem:

ping 192.168.1.6
64 bytes...etc

What's wrong with my firewall config?

Thanks

more specifically:

firewall-cmd --zone=FedoraWorkstation --query-icmp-block=host-prohibited
no

pierods
11th October 2017, 02:24 PM
Allright, I got it...

When you check "nfs" under firewall/services, it does not, incredibly, open 111tcp/udp and 2049 tcp/udp.

Fedora 26 is bug paradise...