Firewall problems with NFS

Amadeus W.M. amadeus84 at verizon.net
Fri Nov 16 00:28:27 UTC 2007 

On Wed, 14 Nov 2007 17:02:51 -0500, Bill Davidsen wrote:

> I have a firewall problem with running an NFS server on FC6 or FC8, due
> to the GUI configuration interface not opening the firewall when I check
> the NFS protocol support. It seems to only allow use as an NFS client,
> since that worked fine when I tested it.
> 
> I can put the needed rules in the "RH-Firewall-1-INPUT" chain, but
> mixing GUI administration and manual administration is undesirable to
> prevent unexpected behavior, conflicts, etc, in the future. Is there
> really no way to open the ports for NFS server other than by hand?
> 
> --
> Bill Davidsen <davidsen at tmr.com>
>   "We have more to fear from the bungling of the incompetent than from
> the machinations of the wicked."  - from Slashdot


Here's what you do. Or rather what I did and have always been doing.

[root at phoenix ~]# cat /etc/sysconfig/nfs | grep -v "#"
RQUOTAD_PORT=4000
LOCKD_TCPPORT=4001
LOCKD_UDPPORT=4001
MOUNTD_PORT=4002
STATD_PORT=4003

(or whatever ports you want as long as they are not taken).



Open these ports in the firewall. You can do this very well from the GUI 
in Sytem->Administration->Firewall. Just click on other ports and add

111 tcp (portmapper)
111 udp (portmapper)
4000-4003 tcp (whatever you defined in nfs)
4000-4003 udp (ditto)

Note you don't need 4000 4002 and 4003 udp so you can be a little more 
strict, but I didn't bother, I opened up the whole range 4000-4003 udp.


Restart fireall, restart nfs, done.

Check on the server that the rpc services are running on the prescribed 
ports, and check from a client that you can see the server exports with 
showmount. 

For instance, if my nfs server is called phoenix, and a client is called 
orion, then 

[root at orion ~]# showmount -e phoenix
Export list for phoenix:
/opt  192.168.1.0/24,192.168.0.0/24
/home 192.168.1.0/24
/data 192.168.1.0/24,192.168.0.0/24


By the way, if you have the automounter running on the client, you do not 
need to enter the nfs partitions in fstab, etc. You may know this already.

More information about the fedora-list mailing list