When I disable the firewalld I can connect to my NFS shares, but with the rules added to both public and --direct (from what I understand -direct should bypass the zones) ports open I am unable to get past the firewall to mount the NFS shares from my new server.
Code:
[root@jackknife ~]# firewall-cmd --direct --get-all-rules
[root@jackknife ~]# rpcinfo -p | awk '{print $3 " " $4 " " $5}' | sort -k 2 | uniq -f 1
tcp 111 portmapper
tcp 20048 mountd
tcp 2049 nfs
tcp 2049 nfs_acl
udp 32769 nlockmgr
tcp 32803 nlockmgr
udp 49302 status
tcp 58114 status
tcp 875 rquotad
proto port service
[root@jackknife ~]# systemctl stop firewalld
and somehow now my rules for direct are gone. I added them as follows:
Code:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 111 -j ACCEPT
56 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 32803 -j ACCEPT
57 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 892 -j ACCEPT
58 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 875 -j ACCEPT
59 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 662 -j ACCEPT
60 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 662 -j ACCEPT
61 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 875 -j ACCEPT
62 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 892 -j ACCEPT
63 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 32769 -j ACCEPT
64 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 111 -j ACCEPT
I also added to my public zone as follows:
Code:
111 firewall-cmd --zone=public --add-port=111/udp --permanent
112 firewall-cmd --zone=public --add-port=32769/udp --permanent
113 firewall-cmd --zone=public --add-port=32803/tcp --permanent
114 firewall-cmd --zone=public --add-port=892/tcp --permanent
115 firewall-cmd --zone=public --add-port=875/tcp --permanent
116 firewall-cmd --zone=public --add-port=662/tcp --permanent
117 firewall-cmd --zone=public --add-port=662/udp --permanent
118 firewall-cmd --zone=public --add-port=875/udp --permanent
119 firewall-cmd --zone=public --add-port=892/udp --permanent
120 firewall-cmd --zone=public --add-port=111/tcp --permanent
132 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 2049 -j ACCEPT
133 firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 2049 -j ACCEPT
yes those are direct from the history command.
The firewalld is not near as user friendly as the older iptables with just editing a simple text file. I wish there was a simple text file to edit for firewalld would make adding, removing, modifying rules much simpler in the long run. yes the firewall-cmd is great for 1 offs, but sorry i know of very few services that are 1 offs.
Help is greatly appreciated as Id really rather not run my server without a firewall.
edit to add I just tried adding the rules as follows to no avail:
Code:
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=111/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=111/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=2049/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=2049/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=32803/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=32769/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=892/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=892/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=875/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=875/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=662/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=662/udp
success
[root@jackknife ~]# firewall-cmd --reload
success