FedoraForum.org - Fedora Support Forums and Community
Page 2 of 2 FirstFirst 1 2
Results 16 to 25 of 25
  1. #16
    Join Date
    Jun 2010
    Location
    Italy
    Posts
    45

    Re: firewalld inhibits nfs

    The question is NFS3 or less and NFS4.

    I understand that with Fedora 17 (and higher) is already provided the correct configuration for the firewall with access to NFS4. (With NFS3 or less are more complex and non-automatic procedures)

    infact if i try to mount with nfs4 (after opening nfs4 firewall port on syetm-config-firewall):

    /etc/exports on server:
    #/var/run/media/vage/BIG 192.168.1.34(rw,insecure,sync)

    mounting from 192.168.1.34:

    #mount.nfs4 192.168.1.36:/var/run/media/vage/BIG /mnt/BIG
    mount.nfs4: mounting 192.168.1.36:/var/run/media/vage/BIG failed, reason given by server:
    No such file or directory

    but if i run:
    #mount.nfs4 192.168.1.36:/ /mnt/BIG

    it mount correctly, but root and users cannot see the content of directory

    ghhh!

    ---------- Post added at 04:59 PM ---------- Previous post was at 04:07 PM ----------

    ...hoops, using the option "fsid=0" on /etc/exports
    it mount correctly and everybody can see (and write) files!

    but is it secure?

  2. #17
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    Quote Originally Posted by danjde

    [/COLOR]...hoops, using the option "fsid=0" on /etc/exports
    it mount correctly and everybody can see (and write) files!

    but is it secure?
    Don't know. It's confusing finding so many parts of NFSv4 in different locations. I think it would be best for documentation of it to take a narrow, simple use case, like a small business of perhaps 5-10 users, where it needs to be reasonably secure, but maybe not using LDAP or AD which just adds complexity for a small setup. So it might be an area of improvement for volunteers to write up an NFSv4 guide for Fedora. I know there is some of that material but it's for sysadmins I think, not regular users. I found this somewhat helpful:
    https://help.ubuntu.com/community/SettingUpNFSHowTo

    But then on OS X I don't have /etc/idmapd.conf, nor does Windows. So how does that work? So use case based guidance would be nice.

  3. #18
    Join Date
    Jun 2010
    Location
    Italy
    Posts
    45

    Re: firewalld inhibits nfs

    thanks for the useful information ;.)

    ok, now i can mount NFS4 adding the "fsid=0" option on /etc/exports,

    but I can not overwrite existing files, this is because all the files if the user directory are "502" owner..

    how i could give to a specific user the ability to overwite files and directory?

    many thanks again!

    i've seen this on your link (tutorial nfs ubuntu):

    User Permissions

    NFS user permissions are based on user ID (UID). UIDs of any users on the client must match those on the server in order for the users to have access. The typical ways of doing this are:

    Manual password file synchronization

    Use of LDAP

    Use of NIS
    Last edited by danjde; 29th January 2013 at 07:40 PM.

  4. #19
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    Quote Originally Posted by kromberg
    I am having this exact same issue on Fedora 17. This is something on the server side firewall settings that are blocking clients, specifically autofs, from mounting exported filesystems.
    Sounds like clients are falling back to NFSv3. Neither the Fedora 17 or Fedora 18 firewall appears to have an entire for NFSv3, just NFSv4. So you probably need to open 111 for RCP, and maybe another one, 23008 or 24008? I forget.

    ---------- Post added at 12:07 PM ---------- Previous post was at 12:06 PM ----------

    Quote Originally Posted by danjde
    how i could give to a specific user the ability to overwite files and directory?
    I haven't figured out how to do the user mappings yet.

  5. #20
    Join Date
    Mar 2008
    Posts
    135

    Re: firewalld inhibits nfs

    Quote Originally Posted by chrismurphy
    Sounds like clients are falling back to NFSv3. Neither the Fedora 17 or Fedora 18 firewall appears to have an entire for NFSv3, just NFSv4. So you probably need to open 111 for RCP, and maybe another one, 23008 or 24008? I forget.

    ---------- Post added at 12:07 PM ---------- Previous post was at 12:06 PM ----------



    I haven't figured out how to do the user mappings yet.
    With 111 opened, same behavior. 23008 and 24008 are not listed ports in system-config-firewall. I googled around a bit and could not find any other mentioned ports for NFSv3. Any other ideas?

  6. #21
    Join Date
    May 2010
    Posts
    1,058

    Re: firewalld inhibits nfs

    Quote Originally Posted by kromberg
    With 111 opened, same behavior. 23008 and 24008 are not listed ports in system-config-firewall. I googled around a bit and could not find any other mentioned ports for NFSv3. Any other ideas?
    It might be doing what mine was doing, which is it's opening open some random port for every connection. These were logged in 'journalctl -n' for the root user. if that's the case, then you need to figure out how to specify a static mountpoint, which I think is client -o mountport=<port#> but I'm not sure if something is needed on the server side to make sure it's always available on that port.

    Whereas with NFSv4, this was working consistently with multiple clients on 2049. But I didn't use netstat or nmap to map what ports were being used; I have to think that it works just like an http server: the initial connection is made on 2049, they negotiate to use another port, and it's the server that makes contact so that the dynamic firewall allows that new connection. Whereas with NFSv3, it must be that the client tries to talk on a server port before the server does, and so the firewall inhibits it. (?) I'm just speculating. It would be nice to know how this works. There has to be a document somewhere on the intertoobz that explains the negotiation between server/client for NFSv3 and v4 or none of this stuff would work at all for anyone.

  7. #22
    Join Date
    Sep 2007
    Posts
    11

    Re: firewalld inhibits nfs

    Using a Fedora 22 server presenting NFS and with nfs listed as a service I needed to add:

    111/tcp, 111/udp, 20048/tcp, 20048/udp for an OS X client to mount the exports.

    Hopefully this addition can help someone else who ends up on this thread.

  8. #23
    Join Date
    Jun 2018
    Location
    Earth
    Posts
    2
    Linux Chrome 67.0.3396.99

    Re: firewalld inhibits nfs

    Here's what I needed to do to act as a NFS server on Fedora 27. Despite five and half years since the original post, it didn't appear anyone had the real answer yet.

    If you have NFSv3 or older clients, then one needs this:
    Code:
    firewall-cmd --add-service=mountd --add-service=nfs --add-service=rpc-bind --add-port=2049/udp --permanent
    firewall-cmd --reload
    If only NFSv4 clients should be supported, then the first command only needs to enable nfs:
    Code:
    firewall-cmd -add-service=nfs --permanent
    Using the service, rather than raw port numbers, is the right way to enable the service.

    There are multiple version of NFS in the decades it's been around. Originally v1 to v3, it used RPC portmapper to expose several services, mountd and nfs being two that are necessary for NFS. NFS can also use lockd, statd, and rquotad services, but those are much less commonly used. Other than rpc-bind, the port numbers aren't fixed, so the services and ports listed are just the defaults. Run rpcinfo -p to see the real ports in use.

    All the different port numbers listed in the various posts in this thread are because of this. Someone had a NFSv4 client, someone had a NFSv3 client, someone used lockd, and so on.

    The 2049 udp is because the NFS service firewall config is just for NFSv4. NFS data itself can use TCP or UDP. Traditionally (20 years ago) it was always UDP, but TCP is generally better and is now much more common, and NFSv4 always uses TCP. So the NFS fireware service info just opens a TCP port. An old/simple NFS client, like say the NFS boot support in the U-Boot bootloader, might only support UDP. One could not open 2049/udp if it was known that all the clients would be TCP based.

    NFSv4 is different and only uses the 2049/tcp port.
    Last edited by xyzzy; 27th June 2018 at 07:21 PM. Reason: More details

  9. #24
    Join Date
    Aug 2009
    Posts
    8,486
    Linux (Fedora) Firefox 60.0

    Re: firewalld inhibits nfs

    That was a very good response. Thank you for posting it

    I will probably close this thread since it is so old, however, I do believe it I will leave it open for the time being in case someone else wishes to add to it. This is an old post, but still relevant.

    I will add a bit to it myself, though. Since you already mentioned the deal about the UDP port, I wish to add that people should try it without opening up the UDP port and see if it works for them. Same with some of the services added as well. It possibly might need all of them, but my recommendation is to open ONLY what is necessary for your particular situation.
    Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?

  10. #25
    Join Date
    Jun 2018
    Location
    Earth
    Posts
    2
    Linux Chrome 67.0.3396.99

    Re: firewalld inhibits nfs

    Quote Originally Posted by DBelton
    I will probably close this thread since it is so old, however, I do believe it I will leave it open for the time being in case someone else wishes to add to it. This is an old post, but still relevant.
    It's on the first page of google results for "nfs firewall fedora 27", which is how I found it. But there really was no good answer, just two pages of random port numbers. But it did point me to firewalld and firewall-cmd, which was what I needed.

Page 2 of 2 FirstFirst 1 2

Similar Threads

  1. Firewalld filter ip?
    By jvillain in forum Rawhide
    Replies: 4
    Last Post: 2nd February 2013, 09:07 AM
  2. firewalld and Ekiga
    By Sagitter in forum Servers & Networking
    Replies: 0
    Last Post: 24th December 2012, 04:25 PM
  3. FirewallD
    By Evil-I in forum Using Fedora
    Replies: 25
    Last Post: 12th October 2012, 01:04 AM
  4. Modifying firewalld for SSH and Telnet
    By fieldmonkey in forum Servers & Networking
    Replies: 4
    Last Post: 8th October 2012, 10:34 AM
  5. firewalld not running
    By SycoChihuahua in forum Security and Privacy
    Replies: 0
    Last Post: 9th November 2011, 10:55 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •