[Novalug] nfs server

Bryan J. Smith b.j.smith@ieee.org
Tue Mar 9 18:29:02 EST 2010


First off, clients (including Solaris) can use the "vers=3" argument.
I prefer to force a version for various reasons.

Secondly, I think you either uncommented way too much, or you
still have some old connections with dynamically assigned ports.
You just need the ports for nlockmgr and mountd, typically rstatd
as well, plus rquotad if you use quotas.  Things like sgi_fam (File
Alteration Monitor) and other support are completely optional.

Third, you're still going to have issues because you've only
opened up RPC port 111.  You still need to open up the ports for
_at_least_ nlockmgr and mountd and typically rstatd.

Assuming you're using the Red Hat basic iptables configuration,
edit this file:  
  /etc/sysconfig/iptables

And look for this line:  
  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

It should be preceded by lines such as:  
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT

You'll need to add the UDP and TCP ports for each, based on the numbers
in the /etc/sysconfig/nfs file _just_before_ the REJECT line.

E.g., here's my /etc/sysconfig/nfs file ...

  $ grep "PORT=" /etc/sysconfig/nfs
  RQUOTAD_PORT=875
  LOCKD_TCPPORT=32803
  LOCKD_UDPPORT=32769
  MOUNTD_PORT=892
  STATD_PORT=662
  #STATD_OUTGOING_PORT=2020

Don't worry about the "OUTGOING" port.  For my system, I would add these lines ...

  # RQUOTAD
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 875 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 875 -j ACCEPT
   # NFSLOCKD
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 32803 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 32769 -j ACCEPT
   # MOUNTD
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 892 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 892 -j ACCEPT
   # RSTATD
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 662 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 622 -j ACCEPT

And restart the firewall with:  
  # service iptables restart

And to clear out everything else, I'd also restart portmapper, nfslock and nfs, in order ...

  # service nfs stop
  # service nfslock stop
  # service portmap restart
  # service nfslock start
  # service nfs start

As far as "new," understand RHEL 5 is based on old Fedora Core 6:  ;)
  http://en.wikipedia.org/wiki/RHEL#Relationship_to_free_or_community_distributions  


-- Bryan


----- Original Message ----
From: Jon LaBadie <novalugml@jgcomp.com>

On Tue, Mar 09, 2010 at 12:32:57PM -0800, Bryan J. Smith wrote:
> Don't use NFSv2 if at all possible.  Long stories.  ;)

Never intentionally.  My Solaris 9 system tries to mount using
V3 and falls back to V2 if necessary.

> It's very clear to me that this is a firewall issue.

That was my feeling.  I never setup iptables, it came along for
the ride with some part of the install/updates.

> You're blocking
> all sorts of RPC access, including to port 111 itself.  That's why
> rpcinfo fails from remote systems, but works locally.

Ahh, did not realize that.

> You need to open up port 111 for RPC,

Done, remote rpcinfo now works.

# rpcinfo -p mums
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp  57198  mountd
    100005    1   tcp  44065  mountd
    100005    2   udp  57198  mountd
    100005    2   tcp  44065  mountd
    100005    3   udp  57198  mountd
    100005    3   tcp  44065  mountd

But no joy in remote mounting of NFS shares.
I've also tried disabling the firewall and still no joy.

> and you need to tie your other RPC services for NFS to specific ports,
> and then open those as well.

I understand what you are saying, but have not figured out howto.
Plus, I thought that the ports by default were randomized.

I uncommented all the port assignments in /etc/sysconfig/nfs and
restarted things.  This gave the following longer rpcinfo list,
but remote mounts still "RPC: Timed out".

# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100232   10   udp  32772  sadmind
    100011    1   udp  32773  rquotad
    100002    2   udp  32774  rusersd
    100002    3   udp  32774  rusersd
    100002    2   tcp  32771  rusersd
    100002    3   tcp  32771  rusersd
    100012    1   udp  32775  sprayd
    100008    1   udp  32776  walld
    100001    2   udp  32777  rstatd
    100001    3   udp  32777  rstatd
    100001    4   udp  32777  rstatd
    100221    1   tcp  32772
    100230    1   tcp  32773  metamhd
    100229    1   tcp  32774  metad
    100229    2   tcp  32774  metad
    100242    1   tcp  32775  metamedd
    100422    1   tcp  32776
    391002    1   tcp  32777  sgi_fam
    391002    2   tcp  32777  sgi_fam
    100068    2   udp  32778
    100068    3   udp  32778
    100068    4   udp  32778
    100068    5   udp  32778
    100083    1   tcp  32778
    100024    1   udp  32779  status
    100024    1   tcp  32779  status
    100133    1   udp  32779
    100133    1   tcp  32779
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100005    1   udp  32804  mountd
    100005    2   udp  32804  mountd
    100005    3   udp  32804  mountd
    100005    1   tcp  32780  mountd
    100005    2   tcp  32780  mountd
    100005    3   tcp  32780  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049  nfs_acl
    100227    3   udp   2049  nfs_acl
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049  nfs_acl
    100227    3   tcp   2049  nfs_acl
    300598    1   udp  32814
    300598    1   tcp  32781
805306368    1   udp  32814
805306368    1   tcp  32781
    100249    1   udp  32815
    100249    1   tcp  32782

> Again, see this section:  
>   http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Deployment_Guide-en-US/s2-sysconfig-nfs.html  

May be a little too "new" for my Fedora 9 system,
but I'm looking at it now.


> -- Bryan
> 
> P.S.  Using "vers=4" as a mount/autofs option on clients should
> allow only port 2049 to be opened, and not require this.  Version 4
> implements a refinement of what was previously known as WebNFS.
> It removes the need to expose other RPC services ports.
> 

Would not be suitable for interaction with my Solaris 9 system.
Interesting to me is that I uncommented RPCNFSDARGS="-N 4" to
turn off support for version 4.  Yet a single instance of nfsd4
still runs when nfs is restarted (along with 8 nfsd's).



More information about the Novalug mailing list