[SOLVED] firewalld inhibits nfs
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 25
  1. #1
    Join Date
    May 2010
    Posts
    1,058

    firewalld inhibits nfs

    This is weird.

    # firewall-cmd --add-service=nfs
    # firewall-cmd --list-services
    mdns dhcpv6-client nfs ssh

    Yet when I try to connect from a client, the client says the connection is refused, with socket error 61. But if I have systemctl stop firewalld.service, I'm immediately able to connect. Huh?

  2. #2
    Join Date
    Oct 2006
    Location
    CN99CF Agassiz BC Canada
    Posts
    397

    Re: firewalld inhibits nfs

    It sounds like you do not have the NFS4 port 2049/tcp open. Check your firewall configuration to open the port.
    Code:
    system-config-firewall
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Screenshot from 2013-01-28 14:23:34.png 
Views:	234 
Size:	16.4 KB 
ID:	24440  
    Last edited by jims; 28th January 2013 at 11:31 PM. Reason: typo

  3. #3
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    Quote Originally Posted by jims
    It sounds like you do not have the NFS4 port 2049/tcp open. Check your firewall configuration to open the port.
    Code:
    system-config-firewall
    Not using GUI. For listed services there is only nfs, not an nfs4. So possibly the command line configuration utility is lacking an nfs4 specific service to add, and needs to be created?

  4. #4
    Join Date
    Oct 2006
    Location
    CN99CF Agassiz BC Canada
    Posts
    397

    Re: firewalld inhibits nfs

    /etc/services lists it as NFS on 2049/tcp. The GUI calls it NFS4 on 2049/tcp. Enabling NFS 2049/tcp using the CLI should work.
    Sorry about causing the confusion. I should have noticed your use of CLI.
    Last edited by jims; 29th January 2013 at 01:05 AM. Reason: typo

  5. #5
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    I think maybe you're thinking of Fedora 17's firewall. This is on Fedora 18, I didn't mention that, so this is firewalld.

    When I systemctl isolate graphica.target and get the Firewall application running, it looks like this, and NFS is selected. Yet it's not letting me through.
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	Screenshot from 2013-01-28 17:49:39.png 
Views:	184 
Size:	44.9 KB 
ID:	24443  

  6. #6
    Join Date
    Oct 2006
    Location
    CN99CF Agassiz BC Canada
    Posts
    397

    Re: firewalld inhibits nfs

    You are correct. I was approaching things in the context of the F17 firewall. However in F18, your firewall should still have port 2049 open. Take a look at ports and see if this is the case. Your thumbnail showed services.

  7. #7
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    Quote Originally Posted by jims
    You are correct. I was approaching things in the context of the F17 firewall. However in F18, your firewall should still have port 2049 open. Take a look at ports and see if this is the case. Your thumbnail showed services.
    Services enables all needed ports for that service, it just doesn't show this, which is one of my frustrations with firewalld. I can't tell what each service does.

    Ports contains no listed ports. If I enable all services, still no listed ports in Ports. Obviously ports are open or things like sshd and mdns wouldn't work, yet they do.

    If I manually add 2049/tcp, still doesn't work. If I add 2049/udp, still doesn't work. I've added 111 tcp and udp and every old NFS and RPC port I can find. Still doesn't work.

    Only if I disable firewalld does it work. So it's clearly blocking something that the client wants. I just don't know what it wants.

  8. #8
    Join Date
    Aug 2009
    Posts
    8,486

    Re: firewalld inhibits nfs

    now that is interesting.

    I didn't have to do anything on the client machines here as far as the firewall. I just opened the ports on the server, and the clients are configured just like on a fresh install, and I can mount nfs shares.

    Code:
    192.168.1.11:/Drive_I on /mnt/tower11/Drive_I type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_C on /mnt/tower11/Drive_C type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_D on /mnt/tower11/Drive_D type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_E on /mnt/tower11/Drive_E type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_F on /mnt/tower11/Drive_F type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_G on /mnt/tower11/Drive_G type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    192.168.1.11:/Drive_H on /mnt/tower11/Drive_H type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.20,local_lock=none,addr=192.168.1.11)
    Code:
    [root@tower20 samba]# firewall-cmd --list-services
    mdns ipp-client dhcpv6-client ipp ssh

  9. #9
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    This is an OS X client, but a current one. The man page for mount_nfs says default is TCP, but lovely enough it says NFSv3 is tried first. But even with

    # sudo mount_nfs -o vers=4,tcp,rw 192.168.1.109:/export/back /Volumes/NFS

    I still get a refusal.

  10. #10
    Join Date
    Aug 2009
    Posts
    8,486

    Re: firewalld inhibits nfs

    I mounted mine in my /etc/fstab using the following:

    Code:
    192.168.1.11:/								/mnt/tower11			nfs		defaults,nfsvers=4,comment=systemd.mount,_netdev
    That mounted all of my nfs shares as I had them set up on the server using fsid=0, etc...

  11. #11
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    yeah server side i'm using fsid=0 also. color me surprised that OS X is doing something different. But I'd expect it to be similar to BSD in this regard, not like something crazy different.

    I suppose what I need to do is get a list of open ports; disable the firewall and connect with the client, then get another list of ports, and find out what's being opened that wasn't open before.

  12. #12
    Join Date
    Aug 2009
    Posts
    8,486

    Re: firewalld inhibits nfs

    That is about the best thing I can think of as well, especially since I am unfamiliar with OS X.

  13. #13
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    OK so this is with firewalld disabled:

    Code:
    # sudo mount_nfs -o vers=4 192.168.1.109:/export/back /Volumes/NFS
    mount_nfs: can't mount /export/back from 192.168.1.109 onto /Volumes/NFS: No such file or directory
    
    # sudo mount_nfs -o 192.168.1.109:/export/back /Volumes/NFS
    #
    So the 2nd one works. The only difference is v4 is missing. Meanwhile journalctl -n reports this for the successful NFSv3 case:

    Code:
    Jan 28 19:24:48 f18s rpc.mountd[3323]: authenticated mount request from 192.168.1.120:1004 for /export/back (/export/back)
    Jan 28 19:25:02 f18s rpc.mountd[3323]: authenticated unmount request from 192.168.1.120:1003 for /export/back (/export/back)
    Jan 28 19:26:32 f18s rpc.mountd[3323]: authenticated mount request from 192.168.1.120:1001 for /export/back (/export/back)
    Jan 28 19:26:40 f18s rpc.mountd[3323]: authenticated unmount request from 192.168.1.120:1000 for /export/back (/export/back)
    Jan 28 19:29:02 f18s rpc.mountd[3323]: authenticated mount request from 192.168.1.120:994 for /export/back (/export/back)
    Jan 28 19:29:09 f18s rpc.mountd[3323]: authenticated unmount request from 192.168.1.120:993 for /export/back (/export/back)
    Jan 28 19:29:26 f18s rpc.mountd[3323]: authenticated mount request from 192.168.1.120:992 for /export/back (/export/back)
    Jan 28 19:29:32 f18s rpc.mountd[3323]: authenticated unmount request from 192.168.1.120:991 for /export/back (/export/back)
    So the connections are being made on completely different ports every single time, so I need a flag to use one port. This one hangs:
    Code:
    sudo mount_nfs -o mountport=4003 192.168.1.109:/export/back /Volumes/NFS
    This one is refused:
    Code:
    sudo mount_nfs -o port=4003 192.168.1.109:/export/back /Volumes/NFS
    So I actually can't figure out how to get the client to connect with a specific port so that a firewall can also be used at the same time.

    ---------- Post added at 08:58 PM ---------- Previous post was at 07:46 PM ----------

    Aha, so this is wrong:
    Code:
    sudo mount_nfs -o vers=4 192.168.1.109:/export/back /Volumes/NFS
    For NFSv4 you don't specify the share that was exported, but rather just 192.168.1.109:/ because on the server /export is set as fsid=0 so that is the root. And "back" appears within.

    And this connects through the firewall!

    So now I just have to deal with the user mappings and permissions, YUCK.
    Last edited by chrismurphy; 29th January 2013 at 05:01 AM.

  14. #14
    Join Date
    Jun 2010
    Location
    Italy
    Posts
    45

    Smile Re: firewalld inhibits nfs

    Hi friends,

    HTML Code:
    chrismurphy:For NFSv4 you don't specify the share that was exported, but rather just 192.168.1.109:/ because on the server /export is set as fsid=0 so that is the root. And "back" appears within.
    
    And this connects through the firewall!
    On Fc17 i would like to share with nfs4, but every tutorial are for nfs<4.
    If i try with nfs3 the firewall stop any action and so i would like to use the nfs4.

    On the server(192.168.1.36) i've this exports:

    /var/run/media/vage/BIG 192.168.1.35/255.255.255.0(rw,insecure,sync)

    from client (192.168.1.35) i would mount /var/run/media/vage/BIG on /mnt/BIG

    #mount.nfs -o vers=4 192.168.1.36:/var/run/media/vage/BIG /mnt/BIG

    but obtain:

    #No such file or directory

    i doesn' understand very well where put "fsid=0"
    and the different mounting actions..


    could you explain better the nfs4 usage, i've some doubts...GASP!

    thanks!!

  15. #15
    Join Date
    Mar 2008
    Posts
    135

    Re: firewalld inhibits nfs

    Quote Originally Posted by chrismurphy
    Services enables all needed ports for that service, it just doesn't show this, which is one of my frustrations with firewalld. I can't tell what each service does.

    Ports contains no listed ports. If I enable all services, still no listed ports in Ports. Obviously ports are open or things like sshd and mdns wouldn't work, yet they do.

    If I manually add 2049/tcp, still doesn't work. If I add 2049/udp, still doesn't work. I've added 111 tcp and udp and every old NFS and RPC port I can find. Still doesn't work.

    Only if I disable firewalld does it work. So it's clearly blocking something that the client wants. I just don't know what it wants.
    I am having this exact same issue on Fedora 17. This is something on the server side firewall settings that are blocking clients, specifically autofs, from mounting exported filesystems.

Page 1 of 2 1 2 LastLast

Similar Threads

  1. Firewalld filter ip?
    By jvillain in forum Rawhide
    Replies: 4
    Last Post: 2nd February 2013, 09:07 AM
  2. firewalld and Ekiga
    By Sagitter in forum Servers & Networking
    Replies: 0
    Last Post: 24th December 2012, 04:25 PM
  3. FirewallD
    By Evil-I in forum Using Fedora
    Replies: 25
    Last Post: 12th October 2012, 01:04 AM
  4. Modifying firewalld for SSH and Telnet
    By fieldmonkey in forum Servers & Networking
    Replies: 4
    Last Post: 8th October 2012, 10:34 AM
  5. firewalld not running
    By SycoChihuahua in forum Security and Privacy
    Replies: 0
    Last Post: 9th November 2011, 10:55 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •