Bugzilla – Bug 130192
firewall: Insufficient ports for NFS server (needs TCP 111)
Last modified: 2006-04-06 12:02:10 UTC
How to repeat: 1. Run NFS server 2. Start firewall and open only NFS server in YaST2 firewall. 3. Try to mount from another machine and open there only NFS client in YaST2 firewall. Mount hangs. Work-around: Open TCP port 111 Additional information: Partial strace from mount command: ... lstat64("/etc/mtab", {st_mode=S_IFREG|0644, st_size=520, ...}) = 0 stat64("k6-3:/install", 0xbfa446ec) = -1 ENOENT (No such file or directory) stat64("k6-3:/install", 0xbfa44628) = -1 ENOENT (No such file or directory) stat64("/sbin/mount.nfs", 0xbfa44590) = -1 ENOENT (No such file or directory) uname({sys="Linux", node="utx", ...}) = 0 gettimeofday({1130068314, 266690}, NULL) = 0 getpid() = 1294 open("/etc/resolv.conf", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000 read(3, "### BEGIN INFO\n#\n# Modified_by: "..., 4096) = 1317 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40027000, 4096) = 0 time([1130068314]) = 1130068314 stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0 open("/etc/resolv.conf", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=1317, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40027000 read(3, "### BEGIN INFO\n#\n# Modified_by: "..., 4096) = 1317 read(3, "", 4096) = 0 close(3) = 0 munmap(0x40027000, 4096) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = 0 poll([{fd=3, events=POLLOUT|POLLERR|POLLHUP, revents=POLLOUT}], 1, 5000) = 1 writev(3, [{"\2\0\0\0\r\0\0\0\6\0\0\0", 12}, {"hosts\0", 6}], 2) = 18 poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 5000) = 1 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"hosts\0", 6}], msg_controllen=16, {cmsg_len=16, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS, {4}}, msg_flags=0}, MSG_NOSIGNAL) = 6 fstat64(4, {st_mode=S_IFREG|0600, st_size=217016, ...}) = 0 pread64(4, "\1\0\0\0h\0\0\0006\0\0\0\1\0\0\0\33b[C\0\0\0\0\323\0\0"..., 104, 0) = 104 mmap2(NULL, 217016, PROT_READ, MAP_SHARED, 4, 0) = 0x401a2000 close(4) = 0 close(3) = 0 time(NULL) = 1130068314 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr("192.168.0.6")}, 16 <unfinished ...>
Port 111 seems to be related to RPC service nfs, which is needed, at least for first mounting of volume on the device (opening 111 was not sufficient for first mount after reboot without opening nfs RPC).
Strange. /usr/share/YaST2/modules/SuSEFirewallServices.ycp already contains following code: "nfs-server" : $[ // TRANSLATORS: Name of Service, can be used as check box, item in multiple selection box... "name" : _("NFS Server"), "rpc_ports" : [ "portmap", "status", "nlockmgr", "mountd", "nfs", "nfs_acl" ], ],
Attaching the /etc/sysconfig/SuSEfirewall2 file and the output of `iptables -L -n` could help too.
use SuSEfirewall2 status instead of iptables -L as SuSEfirewall2 runs iptables on all tables (nat, mangle, filter) and also ipv6. Anyways, your intitial description sounds like you have a problem on the client rather than on the server. If locking is enabled you need portmapper on both ends IIRC. Btw SuSEfirewall2 itself is supposed to automatically open the portmapper port if you open any rpc port.
sbrabec: Lidwig is right :) Could you, please try these two test? - Client with SuSEfirewall2, Server without - Client without SuSEfirewall, Server with firewall Both Client's and Server's SuSEfirewalls should be configured by yast2-firewall. It's because there is also a "nfs-client" not only "nfs-server" in the yast2-firewall. Thanks
I initially thought I was experiencing the same problem, but I'm actually experiencing 104379. I hope this comment helps someone.
Ludwig, you had better close this bug for the `lack of evidence' reason :))) Sbrabec doesn't seem to respond...
It seems, that in 10.1 it works in all three situations: - Server with firewall. - Client with firewall. - Both with firewall. The only problem I see is: - Run firewall manually from YaST. - Go to YaST NFS client setup. It shows, that firewall is off and does not offer opening NFS server port.
If firewall is permanently turned on, the checkbox works correctly. According to Lukáš Ocílka, manual firewall start is not supported here, so I assume it is fixed.