NFS cannot mount AIX export on Centos

woldeman · 01-16-2014, 04:42 PM

Dear community,

I need help.
I'm unable to mount an NFS share exported from AIX 5.3 on a Centos 5.8 client, due to firewall restrictions.
The problem seems to be a firewall that does not allow "low" portnumbers (< 1024).
The NFS share can be mounted on other machines in the same network segment, no problems there.

The AIX machine (exporting side) has IP address 192.168.5.71, the other side is Centos 5.8 (Client) with IP address 10.101.28.49. I've captured packets on both sides using "tcpdump -nn host <hostname of the other end>" while trying to mount the NFS export.

tcpdump on 192.168.5.71:
0:01:40.650752 IP 192.168.5.71.65332 > 10.101.28.49.60468: udp 24
10:01:40.658020 IP 10.101.28.49.976 > 192.168.5.71.65332: udp 128
10:01:40.673618 IP 192.168.5.71.65332 > 10.101.28.49.976: udp 88
no more packets seen after this

tcpdump on 10.101.28.49:
10:01:46.261408 IP 192.168.5.71.65332 > 10.101.28.49.60468: UDP, length 24
10:01:46.261555 IP 10.101.28.49.976 > 192.168.5.71.65332: UDP, length 128
10:01:46.284283 IP 192.168.5.71.65332 > 10.101.28.49.976: UDP, length 88
10:01:46.289282 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
10:01:49.289047 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
10:01:55.289285 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
10:02:07.288761 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
10:02:31.288694 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
10:03:19.288574 IP 10.101.28.49.3 > 192.168.5.71.2049: 0 null
the mount command times out with "Input/Output error" after about 2 minutes

It can be seen that during the first 3 packets, the machines are talking to each other.
Then, when the client 10.101.28.49 is asking for the mount (last 6 packets), these packets are not seen on 192.168.5.71.

On the Centos side, I would like to force the portnumbers for finalizing the connection to be >= 1024, but I'm not sure where this is done.

Does the server tell the client which ports to use (through portmapper or so), or is there some config file on Centos where this can be set up?

Any suggestion is welcome. Let me know if you need more details.
Please forgive my ignorance. Within one network segment NFS just always worked.
Now that I have to hop to other networks and firewalls, I'm at a loss.

Thanks in advance :-)
Willy

woldeman · 01-17-2014, 08:12 AM

We managed to get our network operator to adjust the firewall.
The firewall now allows "low" (<1024) ports to connect to the NFS server port 2049. That solved the problem.
There are more then one ways to get to Rome.