NFS & static ports - driving me crazy...

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

NFS & static ports - driving me crazy...

tanstaafl-2
Ok, my google-fu has failed me...

I've found a few sites that describe how to set static ports for NFS
mounting remote shares (I use iptables for both inbound AND outbound,
and it is the outbound I'm having trouble with).

This is for NFS CLIENT... I'm mounting NFS shares from my remote QNAP
NAS boxes.

I've tried specifying the ports in /etc/conf.d/nfs, and /etc
sysctl.conf, but I must be missing something, because every time I
reboot, some other port comes up being  blocked when I try to mount the
shares...

Anyone? The references I've found are older, so maybe there is something
new I'm missing?

Thx...

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

Joerg Schilling-3
Tanstaafl <[hidden email]> wrote:

> Ok, my google-fu has failed me...
>
> I've found a few sites that describe how to set static ports for NFS
> mounting remote shares (I use iptables for both inbound AND outbound,
> and it is the outbound I'm having trouble with).

Why don't you just use NFSv4?
NFSv4 was designed to interact well with firewalls.

Jörg

--
 EMail:[hidden email] (home) Jörg Schilling D-13353 Berlin
       [hidden email]                (uni)  
       [hidden email] (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
On 2013-12-30 3:27 PM, Joerg Schilling
<[hidden email]> wrote:

> Tanstaafl <[hidden email]> wrote:
>
>> Ok, my google-fu has failed me...
>>
>> I've found a few sites that describe how to set static ports for NFS
>> mounting remote shares (I use iptables for both inbound AND outbound,
>> and it is the outbound I'm having trouble with).
>
> Why don't you just use NFSv4?
> NFSv4 was designed to interact well with firewalls.

I'm pretty sure these QNAP boxes don't support nfsv4

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

Bruce Hill, Jr.
In reply to this post by Joerg Schilling-3
On Mon, Dec 30, 2013 at 09:27:19PM +0100, Joerg Schilling wrote:

> Tanstaafl <[hidden email]> wrote:
>
> > Ok, my google-fu has failed me...
> >
> > I've found a few sites that describe how to set static ports for NFS
> > mounting remote shares (I use iptables for both inbound AND outbound,
> > and it is the outbound I'm having trouble with).
>
> Why don't you just use NFSv4?
> NFSv4 was designed to interact well with firewalls.
>
> Jörg

It just so happens that I'm setting up NFS atm using this guide:
https://wiki.gentoo.org/wiki/NFSv4

Let us know if the info there helps.
--
List replies preferred.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

Joerg Schilling-3
Bruce Hill <[hidden email]> wrote:

> > Why don't you just use NFSv4?
> > NFSv4 was designed to interact well with firewalls.
> >
> > Jörg
>
> It just so happens that I'm setting up NFS atm using this guide:
> https://wiki.gentoo.org/wiki/NFSv4

This info unfortunately misses the port number: 2049

Jörg

--
 EMail:[hidden email] (home) Jörg Schilling D-13353 Berlin
       [hidden email]                (uni)  
       [hidden email] (work) Blog: http://schily.blogspot.com/
 URL:  http://cdrecord.berlios.de/private/ ftp://ftp.berlios.de/pub/schily

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

Bruce Hill, Jr.
On Mon, Dec 30, 2013 at 10:04:29PM +0100, Joerg Schilling wrote:
> Bruce Hill <[hidden email]> wrote:
> >
> > It just so happens that I'm setting up NFS atm using this guide:
> > https://wiki.gentoo.org/wiki/NFSv4
>
> This info unfortunately misses the port number: 2049

What do you mean by "misses the port number: 2049"? It's covered in the
Troubleshooting section, as well as in "man nfs".
--
List replies preferred.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

Pavel Volkov
In reply to this post by tanstaafl-2
On Monday 30 December 2013 15:25:02 Tanstaafl wrote:

> Ok, my google-fu has failed me...
>
> I've found a few sites that describe how to set static ports for NFS
> mounting remote shares (I use iptables for both inbound AND outbound,
> and it is the outbound I'm having trouble with).
>
> This is for NFS CLIENT... I'm mounting NFS shares from my remote QNAP
> NAS boxes.
>
> I've tried specifying the ports in /etc/conf.d/nfs, and /etc
> sysctl.conf, but I must be missing something, because every time I
> reboot, some other port comes up being  blocked when I try to mount the
> shares...
>
> Anyone? The references I've found are older, so maybe there is something
> new I'm missing?

Maybe you it's the lockd port:

$ cat /etc/modprobe.d/lockd.conf
options lockd nlm_udpport=13003 nlm_tcpport=13003

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
On 2013-12-30 6:21 PM, Pavel Volkov <[hidden email]> wrote:

>> I've tried specifying the ports in /etc/conf.d/nfs, and /etc
>> >sysctl.conf, but I must be missing something, because every time I
>> >reboot, some other port comes up being  blocked when I try to mount the
>> >shares...
>> >
>> >Anyone? The references I've found are older, so maybe there is something
>> >new I'm missing?
> Maybe you it's the lockd port:
>
> $ cat /etc/modprobe.d/lockd.conf
> options lockd nlm_udpport=13003 nlm_tcpport=13003

According to the comment at the top of /etc/conf.d/nfs, the lockd ports
are set at /etc/sysctl.conf, which I now have as:

# You should compile nfsd into the kernel or add it
# to modules.autoload for this to work properly
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 4001
# UDP Port for lock manager
fs.nfs.nlm_udpport = 4001

One other question...

What service(s) do I need to restart after making a change to test (so I
don't have to reboot every time)?

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
In reply to this post by tanstaafl-2
On 2013-12-30 3:25 PM, Tanstaafl <[hidden email]> wrote:

> This is for NFS CLIENT... I'm mounting NFS shares from my remote QNAP
> NAS boxes.
>
> I've tried specifying the ports in /etc/conf.d/nfs, and /etc
> sysctl.conf, but I must be missing something, because every time I
> reboot, some other port comes up being  blocked when I try to mount the
> shares...
>
> Anyone? The references I've found are older, so maybe there is something
> new I'm missing?

Ok, to recap...

I've made the following changes to the following config files:

/etc/conf.d/nfs

OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_STATD="-p 32765 -o 32766"

I've also changed the lockd ports

/etc/sysctl.conf

# You should compile nfsd into the kernel or add it
# to modules.autoload for this to work properly
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 4001
# UDP Port for lock manager
fs.nfs.nlm_udpport = 4001

But when I try to mount the remote filesystem, I see the outbound
request being blocked by the firewall.

If I open up the port in the firewall, it mounts immediately.

But after a reboot, the next time I try mounting it, some other random
port shows up in the firewall logs...

This can't be all that difficult... I must be missing something obvious.

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
On 2013-12-31 7:30 AM, Tanstaafl <[hidden email]> wrote:

> I've made the following changes to the following config files:
>
> /etc/conf.d/nfs
>
> OPTS_RPC_MOUNTD="-p 32767"
> OPTS_RPC_STATD="-p 32765 -o 32766"
>
> I've also changed the lockd ports
>
> /etc/sysctl.conf
>
> # You should compile nfsd into the kernel or add it
> # to modules.autoload for this to work properly
> # TCP Port for lock manager
> fs.nfs.nlm_tcpport = 4001
> # UDP Port for lock manager
> fs.nfs.nlm_udpport = 4001
>
> But when I try to mount the remote filesystem, I see the outbound
> request being blocked by the firewall.
>
> If I open up the port in the firewall, it mounts immediately.
>
> But after a reboot, the next time I try mounting it, some other random
> port shows up in the firewall logs...
>
> This can't be all that difficult... I must be missing something obvious.

  # rpcinfo -p
    program vers proto   port  service
     100000    4   tcp    111  portmapper
     100000    3   tcp    111  portmapper
     100000    2   tcp    111  portmapper
     100000    4   udp    111  portmapper
     100000    3   udp    111  portmapper
     100000    2   udp    111  portmapper
     100024    1   udp  32765  status
     100024    1   tcp  32765  status

Again, this system is NOT running an NFS SERVER, I am only trying to use
the nfs CLIENT to mount a remote NFS share - so, is the above what I
should expect to see? something tells me no...

Shouldn't the lockd ports be showing up to?

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
No one?

Another reboot, and had to open up OUTGOING port 57212 this time.

Why are the static ports I'm assigning not being used?

On 2013-12-31 8:11 AM, Tanstaafl <[hidden email]> wrote:

> On 2013-12-31 7:30 AM, Tanstaafl <[hidden email]> wrote:
>> I've made the following changes to the following config files:
>>
>> /etc/conf.d/nfs
>>
>> OPTS_RPC_MOUNTD="-p 32767"
>> OPTS_RPC_STATD="-p 32765 -o 32766"
>>
>> I've also changed the lockd ports
>>
>> /etc/sysctl.conf
>>
>> # You should compile nfsd into the kernel or add it
>> # to modules.autoload for this to work properly
>> # TCP Port for lock manager
>> fs.nfs.nlm_tcpport = 4001
>> # UDP Port for lock manager
>> fs.nfs.nlm_udpport = 4001
>>
>> But when I try to mount the remote filesystem, I see the outbound
>> request being blocked by the firewall.
>>
>> If I open up the port in the firewall, it mounts immediately.
>>
>> But after a reboot, the next time I try mounting it, some other random
>> port shows up in the firewall logs...
>>
>> This can't be all that difficult... I must be missing something obvious.
>
>   # rpcinfo -p
>     program vers proto   port  service
>      100000    4   tcp    111  portmapper
>      100000    3   tcp    111  portmapper
>      100000    2   tcp    111  portmapper
>      100000    4   udp    111  portmapper
>      100000    3   udp    111  portmapper
>      100000    2   udp    111  portmapper
>      100024    1   udp  32765  status
>      100024    1   tcp  32765  status
>
> Again, this system is NOT running an NFS SERVER, I am only trying to use
> the nfs CLIENT to mount a remote NFS share - so, is the above what I
> should expect to see? something tells me no...
>
> Shouldn't the lockd ports be showing up to?
>


Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

William Kenworthy
Try this:

# /etc/conf.d/nfs

# If you wish to set the port numbers for lockd,
# please see /etc/sysctl.conf

# Optional services to include in default `/etc/init.d/nfs start`
# For NFSv4 users, you'll want to add "rpc.idmapd" here.
NFS_NEEDED_SERVICES="rpc.idmapd"

# Number of servers to be started up by default
OPTS_RPC_NFSD="8"

# Options to pass to rpc.mountd
# ex. OPTS_RPC_MOUNTD="-p 32767"
OPTS_RPC_MOUNTD="-p 4000"

# Options to pass to rpc.statd
# ex. OPTS_RPC_STATD="-p 32765 -o 32766"
OPTS_RPC_STATD="-p4001 -o4002" #-p 4000"

# Options to pass to rpc.idmapd
OPTS_RPC_IDMAPD=""

# Options to pass to rpc.gssd
OPTS_RPC_GSSD=""

# Options to pass to rpc.svcgssd
OPTS_RPC_SVCGSSD=""

# Options to pass to rpc.rquotad (requires sys-fs/quota)
OPTS_RPC_RQUOTAD=""

# Timeout (in seconds) for exportfs
EXPORTFS_TIMEOUT=30


in /etc/sysctl.conf:
...
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 4003
# UDP Port for lock manager
fs.nfs.nlm_udpport = 4003



asterisk ~ # rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp   4001  status
    100024    1   tcp   4001  status
    100005    1   udp   4000  mountd
    100005    1   tcp   4000  mountd
    100005    2   udp   4000  mountd
    100005    2   tcp   4000  mountd
    100005    3   udp   4000  mountd
    100005    3   tcp   4000  mountd
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp   4003  nlockmgr
    100021    3   udp   4003  nlockmgr
    100021    4   udp   4003  nlockmgr
    100021    1   tcp   4003  nlockmgr
    100021    3   tcp   4003  nlockmgr
    100021    4   tcp   4003  nlockmgr
asterisk ~ #


BillK




On 02/01/14 19:23, Tanstaafl wrote:

> No one?
>
> Another reboot, and had to open up OUTGOING port 57212 this time.
>
> Why are the static ports I'm assigning not being used?
>
> On 2013-12-31 8:11 AM, Tanstaafl <[hidden email]> wrote:
>> On 2013-12-31 7:30 AM, Tanstaafl <[hidden email]> wrote:
>>> I've made the following changes to the following config files:
>>>
>>> /etc/conf.d/nfs
>>>
>>> OPTS_RPC_MOUNTD="-p 32767"
>>> OPTS_RPC_STATD="-p 32765 -o 32766"
>>>
>>> I've also changed the lockd ports
>>>
>>> /etc/sysctl.conf
>>>
>>> # You should compile nfsd into the kernel or add it
>>> # to modules.autoload for this to work properly
>>> # TCP Port for lock manager
>>> fs.nfs.nlm_tcpport = 4001
>>> # UDP Port for lock manager
>>> fs.nfs.nlm_udpport = 4001
>>>
>>> But when I try to mount the remote filesystem, I see the outbound
>>> request being blocked by the firewall.
>>>
>>> If I open up the port in the firewall, it mounts immediately.
>>>
>>> But after a reboot, the next time I try mounting it, some other random
>>> port shows up in the firewall logs...
>>>
>>> This can't be all that difficult... I must be missing something obvious.
>>
>>   # rpcinfo -p
>>     program vers proto   port  service
>>      100000    4   tcp    111  portmapper
>>      100000    3   tcp    111  portmapper
>>      100000    2   tcp    111  portmapper
>>      100000    4   udp    111  portmapper
>>      100000    3   udp    111  portmapper
>>      100000    2   udp    111  portmapper
>>      100024    1   udp  32765  status
>>      100024    1   tcp  32765  status
>>
>> Again, this system is NOT running an NFS SERVER, I am only trying to use
>> the nfs CLIENT to mount a remote NFS share - so, is the above what I
>> should expect to see? something tells me no...
>>
>> Shouldn't the lockd ports be showing up to?
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
On 2014-01-02 7:38 AM, William Kenworthy <[hidden email]> wrote:
> Try this:
>
> # /etc/conf.d/nfs

Thanks Bill, I will...

But what do I need to restart to test the changes? I'd rather not have
to reboot every time...

Is it just rpcbind? Or do I need to restart nfs/nfsmmount too? Others?

Thanks... hope I can get this resolved...

Reply | Threaded
Open this post in threaded view
|

Re: NFS & static ports - driving me crazy...

tanstaafl-2
On 2014-01-02 7:48 AM, Tanstaafl <[hidden email]> wrote:

> On 2014-01-02 7:38 AM, William Kenworthy <[hidden email]> wrote:
>> Try this:
>>
>> # /etc/conf.d/nfs
>
> Thanks Bill, I will...
>
> But what do I need to restart to test the changes? I'd rather not have
> to reboot every time...
>
> Is it just rpcbind? Or do I need to restart nfs/nfsmmount too? Others?
>
> Thanks... hope I can get this resolved...

Made the above changes, restarted rpcbind, current nfs mounts
successfully unmounted, but failed to remount, and the OUTBOUND firewall
now shows a different port being used/blocked (this time it was UDP 51804...

<sigh>