SUSEFirewall2: Enable broadcasting

Hello.

Yesterday while trying to mount a NFS share through YaST it continuously failed while scanning the network and giving this error message:

ERROR
No NFS server has been found on your network.
This could be caused by a running SuSEfirewall2,
which probably blocks the network scanning.

I have added the NFS client to allowed services and can mount the shares manually at CLI and through YaST as well if I provide the IP address or hostname of the server. Disabling the firewall results in the server being found while scanning. Some digging around and browsing these forums eventually led me to believe it’s the broadcasting that’s the problem. My question is then, how do I allow broadcasting and can it be done dynamically, as in automatically allowing as needed (I see no reason to have unneeded ports open for extended periods of time).
Running openSUSE 11.4 on a laptop and the NFS server is only locally available on my home LAN.

Cheers

On 2012-02-13 21:16, ndlarsen wrote:
>
> Hello.
>
> Yesterday while trying to mount a NFS share through YaST it
> continuously failed while scanning the network and giving this error
> message:
>
> Code:
> --------------------
> ERROR
> No NFS server has been found on your network.
> This could be caused by a running SuSEfirewall2,
> which probably blocks the network scanning.
> --------------------

I think you need rpc, nfs.


FW_CONFIGURATIONS_EXT=" nfs-client nfs-kernel-server "
FW_SERVICES_ACCEPT_EXT="192.168.1.0/24,_rpc_,nfs 192.168.74.0/24,_rpc_,nfs"


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Hi.

I appreciate your reply. Unfortunately your suggestion could not solve it. I tried allowing all broadcasting from services using UDP as well as TCP, no dice. Here is the output from /var/log/firewall.log while scanning the network via YaST with the settings you suggested:


slave:~ # tail -f -n 0 /var/log/firewall 
Feb 14 14:43:22 slave kernel:  3245.495553] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=47144 LEN=40 
Feb 14 14:43:22 slave kernel:  3245.501538] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=47144 LEN=40 
Feb 14 14:43:26 slave kernel:  3249.499280] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=47144 LEN=40 
Feb 14 14:43:26 slave kernel:  3249.505259] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=47144 LEN=40

The IP address of the NFS server is 192.168.1.5 and 192.168.1.120 is the laptop running the client.

From this thread it seems that setting

FW_ALLOW_FW_BROADCAST_EXT="yes"

could solve the problem but, alas, again not luck:

slave:~ # tail -f -n 0 /var/log/firewall 
Feb 14 14:51:55 slave kernel:  3759.101318] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=49090 LEN=40 
Feb 14 14:51:55 slave kernel:  3759.101508] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=49090 LEN=40 
Feb 14 14:51:59 slave kernel:  3763.103818] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=49090 LEN=40 
Feb 14 14:51:59 slave kernel:  3763.117037] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0e:35:4e:e4:a7:00:1c:c0:d0:e0:61:08:00 SRC=192.168.1.5 DST=192.168.1.120 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=111 DPT=49090 LEN=40

Again, I appreciate your reply and the time you took. If anyone could somehow shed some light on the matter it would be greatly appreciated.

Cheers

On 2012-02-14 15:06, ndlarsen wrote:
>
> Hi.
>
> I appreciate your reply. Unfortunately your suggestion could not solve
> it. I tried allowing all broadcasting from services using UDP as well as
> TCP, no dice. Here is the output from /var/log/firewall.log while
> scanning the network via YaST with the settings you suggested:

Be aware that I don’t usually rely on the broadcast. If it works I use it,
if not I type. But I haven’t investigated really to make it work always.

The port that is getting hit in your log is named “sunrpc” (/etc/services),
maybe the rule is faling to open it. Try to add “sunrpc”. UDP.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Hi.
Again I appreciate your reply. Still no luck - guess I just have to accept that this cannot be done as is.

Cheers.

On 2012-02-16 15:56, ndlarsen wrote:
>
> Hi.
> Again I appreciate your reply. Still no luck - guess I just have to
> accept that this cannot be done as is.

Do you still see rpc entries in the firewall log after you enable it?


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)