Can only access nfs shares with firewalld disabled on server

brunomcl · October 7, 2019, 7:37pm

New server with Leap 15.1, Plasma, wired local network.

Server can ping client (a Raspberry Pi) but the client only see the nfs shares with firewalld disabledon server.

Nfs service is enabled on firewalld yast GUI, but the ports are not automatically open, and even when added manually the shares are still not accessible.

firewalld enabled and running:

# systemctl status firewalld  
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; **enabled**; vendor preset: disabled)
   Active: **active** (running) since Mon 2019-10-07 13:30:15 -03; 45min ago
     Docs: man:firewalld(1)
  Process: 422 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 30901 (firewalld)
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/firewalld.service
           └─30901 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Yast firewalld GUI show device eth0 is assigned to the public zone.

All open services, before adding ports:

# firewall-cmd --list-all     
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: **nfs nfs3 synergy syncthing**
  ports:
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Ports in use by NFS:

# grep nfs /etc/services
...
nfs               ** 2049/tcp**     # Network File System - Sun Microsystems  [Brent_Callaghan]
nfs                **2049/udp**     # Network File System - Sun Microsystems  [Brent_Callaghan]
nfs                **2049/sctp**    # Network File System  [RFC5665]
3d-nfsd            2323/tcp     # 3d-nfsd  [Mike_Sherrill]
3d-nfsd            2323/udp     # 3d-nfsd  [Mike_Sherrill]
mediacntrlnfsd     2363/tcp     # Media Central NFSD  [Shivakumar_S_Govind]
mediacntrlnfsd     2363/udp     # Media Central NFSD  [Shivakumar_S_Govind]
winfs              5009/tcp     # Microsoft Windows Filesystem  [Simon_Skaria]
winfs              5009/udp     # Microsoft Windows Filesystem  [Simon_Skaria]
enfs               5233/tcp     # Etinnae Network File Service  [Chris_Peel]
nfsrdma            20049/tcp    # Network File System (NFS) over RDMA  [RFC5666]
nfsrdma            20049/udp    # Network File System (NFS) over RDMA  [RFC5666]
nfsrdma            20049/sctp   # Network File System (NFS) over RDMA  [RFC5666]

After adding port 2049 manually:

# firewall-cmd --list-services
nfs nfs3 synergy syncthing
# firewall-cmd --list-ports   
2049/tcp 2049/udp 2049/sctp

These service and ports are allowed/open in the public zone settings of firewalld GUI, but still no connection. What am I not seeing?

Thanks,

Bruno

nrickert · October 7, 2019, 7:53pm

I think I also had to add “mountd” to the allowed services.

brunomcl · October 7, 2019, 8:09pm

I’ll try, but if so it would be weird as I can access the shares with firewalld disabled.

brunomcl · October 7, 2019, 8:10pm

What puzzles me is that, unlike the older firewall, enabling a service won’t “automagically” open the required ports too.

brunomcl · October 7, 2019, 8:21pm

mountd made no difference, but disabling the firewall works. Just tested again now.

nrickert · October 7, 2019, 10:58pm

NFS is working here, and firewalld is running (on the NFS server).

brunomcl · October 8, 2019, 5:53pm

Could you check what zone nfs is using and which ports are open with

# firewall-cmd --list-all

and

# grep nfs /etc/services

please?

I’d like to see if you get the same output, specially for the first command.

nrickert · October 8, 2019, 7:00pm

Here goes!

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: br0 p4p2
  sources: 
  services: ssh dhcpv6-client mountd nfs nfs3 rpc-bind samba
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

and

# grep nfs /etc/services

please?

I’ll skip that for now, as the output is longish and not very interesting. The chances are that my “/etc/services” is identical to yours, assuming that both came from the original Leap 15.1 install.

brunomcl · October 9, 2019, 7:52pm

Thanks, nrickert, found the solution in an old post of yours. Besides nfs (and probably mountd), I had to enable rpc-bind in firewalld:

# firewall-cmd --list-services
nfs nfs3 synergy syncthing kdeconnect-kde transmission-client **rpc-bind** mountd

The universe is in harmony again https://forums.opensuse.org/images/icons/icon7.png

nrickert · October 9, 2019, 9:26pm

I’m glad to hear that.