Bug 130192

Summary: firewall: Insufficient ports for NFS server (needs TCP 111)
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Stanislav Brabec <sbrabec>
Component: YaST2Assignee: Ludwig Nussel <lnussel>
Status: RESOLVED FIXED QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: locilka
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stanislav Brabec 2005-10-23 12:01:08 UTC 
How to repeat:

1. Run NFS server
2. Start firewall and open only NFS server in YaST2 firewall.
3. Try to mount from another machine and open there only NFS client in YaST2
firewall.
Mount hangs.

Work-around:
Open TCP port 111

Additional information:
Partial strace from mount command:
...
lstat64("/etc/mtab", {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
stat64("k6-3:/install", 0xbfa446ec)     = -1 ENOENT (No such file or directory)
stat64("k6-3:/install", 0xbfa44628)     = -1 ENOENT (No such file or directory)
stat64("/sbin/mount.nfs", 0xbfa44590)   = -1 ENOENT (No such file or directory)
uname({sys="Linux", node="utx", ...})   = 0
gettimeofday({1130068314, 266690}, NULL) = 0
getpid()                                = 1294
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40027000
read(3, "### BEGIN INFO\n#\n# Modified_by: "..., 4096) = 1317
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40027000, 4096)                = 0
time([1130068314])                      = 1130068314
stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x40027000
read(3, "### BEGIN INFO\n#\n# Modified_by: "..., 4096) = 1317
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40027000, 4096)                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = 0
poll([{fd=3, events=POLLOUT|POLLERR|POLLHUP, revents=POLLOUT}], 1, 5000) = 1
writev(3, [{"\2\0\0\0\r\0\0\0\6\0\0\0", 12}, {"hosts\0", 6}], 2) = 18
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 5000) = 1
recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"hosts\0", 6}], msg_controllen=16,
{cmsg_len=16, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0},
MSG_NOSIGNAL) = 6
fstat64(4, {st_mode=S_IFREG|0600, st_size=217016, ...}) = 0
pread64(4, "\1\0\0\0h\0\0\0006\0\0\0\1\0\0\0\33b[C\0\0\0\0\323\0\0"..., 104, 0)
= 104
mmap2(NULL, 217016, PROT_READ, MAP_SHARED, 4, 0) = 0x401a2000
close(4)                                = 0
close(3)                                = 0
time(NULL)                              = 1130068314
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.0.6")}, 16 <unfinished ...>
Comment 1 Stanislav Brabec 2005-10-23 16:36:57 UTC 
Port 111 seems to be related to RPC service nfs, which is needed, at least for first mounting of volume on the device (opening 111 was not sufficient for first mount after reboot without opening nfs RPC).
Comment 2 Stanislav Brabec 2005-10-24 13:56:30 UTC 
Strange. /usr/share/YaST2/modules/SuSEFirewallServices.ycp already contains following code:

        "nfs-server" : $[
            // TRANSLATORS: Name of Service, can be used as check box, item in multiple selection box...
            "name"      : _("NFS Server"),
            "rpc_ports" : [ "portmap", "status", "nlockmgr", "mountd", "nfs", "nfs_acl" ],
        ],
Comment 3 Lukas Ocilka 2005-10-24 14:41:09 UTC 
Attaching the /etc/sysconfig/SuSEfirewall2 file and the output of `iptables -L -n` could help too.
Comment 4 Ludwig Nussel 2005-10-24 15:21:49 UTC 
use SuSEfirewall2 status instead of iptables -L as SuSEfirewall2 runs iptables on all tables (nat, mangle, filter) and also ipv6.

Anyways, your intitial description sounds like you have a problem on the client rather than on the server. If locking is enabled you need portmapper on both ends IIRC. Btw SuSEfirewall2 itself is supposed to automatically open the portmapper port if you open any rpc port.
Comment 5 Lukas Ocilka 2005-10-25 06:32:55 UTC 
sbrabec: Lidwig is right :) Could you, please try these two test?
- Client with SuSEfirewall2, Server without
- Client without SuSEfirewall, Server with firewall

Both Client's and Server's SuSEfirewalls should be configured by yast2-firewall. It's because there is also a "nfs-client" not only "nfs-server" in the yast2-firewall.

Thanks
Comment 6 Jon Nelson 2006-01-11 15:25:47 UTC 
I initially thought I was experiencing the same problem, but I'm actually experiencing 104379. I hope this comment helps someone.
Comment 7 Lukas Ocilka 2006-01-11 19:17:39 UTC 
Ludwig, you had better close this bug for the `lack of evidence' reason :)))
Sbrabec doesn't seem to respond...
Comment 8 Stanislav Brabec 2006-04-06 11:38:41 UTC 
It seems, that in 10.1 it works in all three situations:

- Server with firewall.
- Client with firewall.
- Both with firewall.

The only problem I see is:
- Run firewall manually from YaST.
- Go to YaST NFS client setup.
It shows, that firewall is off and does not offer opening NFS server port.
Comment 9 Stanislav Brabec 2006-04-06 12:02:10 UTC 
If firewall is permanently turned on, the checkbox works correctly.

According to Lukáš Ocílka, manual firewall start is not supported here, so I assume it is fixed.