LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-23-2014, 05:26 PM   #1
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora/Pop!_OS
Posts: 2,983

Rep: Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551
NFS firewall issues with CentOS v7


When I disable the firewalld I can connect to my NFS shares, but with the rules added to both public and --direct (from what I understand -direct should bypass the zones) ports open I am unable to get past the firewall to mount the NFS shares from my new server.

Code:
[root@jackknife ~]# firewall-cmd --direct --get-all-rules
[root@jackknife ~]# rpcinfo -p | awk '{print $3 " " $4 " " $5}' | sort -k 2 | uniq -f 1
tcp 111 portmapper
tcp 20048 mountd
tcp 2049 nfs
tcp 2049 nfs_acl
udp 32769 nlockmgr
tcp 32803 nlockmgr
udp 49302 status
tcp 58114 status
tcp 875 rquotad
proto port service
[root@jackknife ~]# systemctl stop firewalld
and somehow now my rules for direct are gone. I added them as follows:

Code:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 111 -j ACCEPT
   56  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 32803 -j ACCEPT
   57  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 892 -j ACCEPT
   58  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 875 -j ACCEPT
   59  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 662 -j ACCEPT
   60  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 662 -j ACCEPT
   61  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 875 -j ACCEPT
   62  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 892 -j ACCEPT
   63  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 32769 -j ACCEPT
   64  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 111 -j ACCEPT
I also added to my public zone as follows:

Code:
  111  firewall-cmd --zone=public --add-port=111/udp --permanent
  112  firewall-cmd --zone=public --add-port=32769/udp --permanent
  113  firewall-cmd --zone=public --add-port=32803/tcp --permanent
  114  firewall-cmd --zone=public --add-port=892/tcp --permanent
  115  firewall-cmd --zone=public --add-port=875/tcp --permanent
  116  firewall-cmd --zone=public --add-port=662/tcp --permanent
  117  firewall-cmd --zone=public --add-port=662/udp --permanent
  118  firewall-cmd --zone=public --add-port=875/udp --permanent
  119  firewall-cmd --zone=public --add-port=892/udp --permanent
  120  firewall-cmd --zone=public --add-port=111/tcp --permanent
  132  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 2049 -j ACCEPT
  133  firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 2049 -j ACCEPT
yes those are direct from the history command.

The firewalld is not near as user friendly as the older iptables with just editing a simple text file. I wish there was a simple text file to edit for firewalld would make adding, removing, modifying rules much simpler in the long run. yes the firewall-cmd is great for 1 offs, but sorry i know of very few services that are 1 offs.

Help is greatly appreciated as Id really rather not run my server without a firewall.

edit to add I just tried adding the rules as follows to no avail:

Code:
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=111/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=111/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=2049/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=2049/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=32803/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=32769/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=892/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=892/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=875/udp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=875/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=662/tcp
success
[root@jackknife ~]# firewall-cmd --permanent --zone=public --add-port=662/udp
success
[root@jackknife ~]# firewall-cmd --reload
success

Last edited by lleb; 08-23-2014 at 06:02 PM.
 
Old 08-25-2014, 03:14 PM   #2
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora/Pop!_OS
Posts: 2,983

Original Poster
Rep: Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551Reputation: 551
anyone have a simple howto for firewalld that might help me learn how to solve this issue?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] NFS on CentOS 6 can talk to Centos 5 but not Centos 6 clients deathsfriend99 Linux - Server 2 11-08-2013 02:33 PM
Email with Postfix,Dovecot & MySQL on CentOS 5-CentOS 6 issues redhat19 Linux - Server 6 05-12-2012 09:15 AM
NFS+VMware unable to install CentOs from nfs foottuns Linux - Networking 1 11-21-2009 08:53 PM
nfs does not seem to work through the centos 5 or redhat 5 firewall extendedping Linux - Software 1 04-04-2008 04:59 PM
LXer: Install CentOS 5 DomU on CentOS 5 Dom0(64 bit) from NFS share LXer Syndicated Linux News 0 11-09-2007 03:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration