[Novalug] nfs server
Bryan J. Smith
b.j.smith@ieee.org
Tue Mar 9 18:29:02 EST 2010
First off, clients (including Solaris) can use the "vers=3" argument.
I prefer to force a version for various reasons.
Secondly, I think you either uncommented way too much, or you
still have some old connections with dynamically assigned ports.
You just need the ports for nlockmgr and mountd, typically rstatd
as well, plus rquotad if you use quotas. Things like sgi_fam (File
Alteration Monitor) and other support are completely optional.
Third, you're still going to have issues because you've only
opened up RPC port 111. You still need to open up the ports for
_at_least_ nlockmgr and mountd and typically rstatd.
Assuming you're using the Red Hat basic iptables configuration,
edit this file:
/etc/sysconfig/iptables
And look for this line:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
It should be preceded by lines such as:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
You'll need to add the UDP and TCP ports for each, based on the numbers
in the /etc/sysconfig/nfs file _just_before_ the REJECT line.
E.g., here's my /etc/sysconfig/nfs file ...
$ grep "PORT=" /etc/sysconfig/nfs
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
#STATD_OUTGOING_PORT=2020
Don't worry about the "OUTGOING" port. For my system, I would add these lines ...
# RQUOTAD
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
# NFSLOCKD
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
# MOUNTD
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
# RSTATD
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 622 -j ACCEPT
And restart the firewall with:
# service iptables restart
And to clear out everything else, I'd also restart portmapper, nfslock and nfs, in order ...
# service nfs stop
# service nfslock stop
# service portmap restart
# service nfslock start
# service nfs start
As far as "new," understand RHEL 5 is based on old Fedora Core 6: ;)
http://en.wikipedia.org/wiki/RHEL#Relationship_to_free_or_community_distributions
-- Bryan
----- Original Message ----
From: Jon LaBadie <novalugml@jgcomp.com>
On Tue, Mar 09, 2010 at 12:32:57PM -0800, Bryan J. Smith wrote:
> Don't use NFSv2 if at all possible. Long stories. ;)
Never intentionally. My Solaris 9 system tries to mount using
V3 and falls back to V2 if necessary.
> It's very clear to me that this is a firewall issue.
That was my feeling. I never setup iptables, it came along for
the ride with some part of the install/updates.
> You're blocking
> all sorts of RPC access, including to port 111 itself. That's why
> rpcinfo fails from remote systems, but works locally.
Ahh, did not realize that.
> You need to open up port 111 for RPC,
Done, remote rpcinfo now works.
# rpcinfo -p mums
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100011 1 udp 875 rquotad
100011 2 udp 875 rquotad
100011 1 tcp 875 rquotad
100011 2 tcp 875 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100005 1 udp 57198 mountd
100005 1 tcp 44065 mountd
100005 2 udp 57198 mountd
100005 2 tcp 44065 mountd
100005 3 udp 57198 mountd
100005 3 tcp 44065 mountd
But no joy in remote mounting of NFS shares.
I've also tried disabling the firewall and still no joy.
> and you need to tie your other RPC services for NFS to specific ports,
> and then open those as well.
I understand what you are saying, but have not figured out howto.
Plus, I thought that the ports by default were randomized.
I uncommented all the port assignments in /etc/sysconfig/nfs and
restarted things. This gave the following longer rpcinfo list,
but remote mounts still "RPC: Timed out".
# rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100232 10 udp 32772 sadmind
100011 1 udp 32773 rquotad
100002 2 udp 32774 rusersd
100002 3 udp 32774 rusersd
100002 2 tcp 32771 rusersd
100002 3 tcp 32771 rusersd
100012 1 udp 32775 sprayd
100008 1 udp 32776 walld
100001 2 udp 32777 rstatd
100001 3 udp 32777 rstatd
100001 4 udp 32777 rstatd
100221 1 tcp 32772
100230 1 tcp 32773 metamhd
100229 1 tcp 32774 metad
100229 2 tcp 32774 metad
100242 1 tcp 32775 metamedd
100422 1 tcp 32776
391002 1 tcp 32777 sgi_fam
391002 2 tcp 32777 sgi_fam
100068 2 udp 32778
100068 3 udp 32778
100068 4 udp 32778
100068 5 udp 32778
100083 1 tcp 32778
100024 1 udp 32779 status
100024 1 tcp 32779 status
100133 1 udp 32779
100133 1 tcp 32779
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
100005 1 udp 32804 mountd
100005 2 udp 32804 mountd
100005 3 udp 32804 mountd
100005 1 tcp 32780 mountd
100005 2 tcp 32780 mountd
100005 3 tcp 32780 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
300598 1 udp 32814
300598 1 tcp 32781
805306368 1 udp 32814
805306368 1 tcp 32781
100249 1 udp 32815
100249 1 tcp 32782
> Again, see this section:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-sysconfig-nfs.html
May be a little too "new" for my Fedora 9 system,
but I'm looking at it now.
> -- Bryan
>
> P.S. Using "vers=4" as a mount/autofs option on clients should
> allow only port 2049 to be opened, and not require this. Version 4
> implements a refinement of what was previously known as WebNFS.
> It removes the need to expose other RPC services ports.
>
Would not be suitable for interaction with my Solaris 9 system.
Interesting to me is that I uncommented RPCNFSDARGS="-N 4" to
turn off support for version 4. Yet a single instance of nfsd4
still runs when nfs is restarted (along with 8 nfsd's).
More information about the Novalug
mailing list