ons 2014-01-22 klockan 14:47 -0600 skrev Schweiss, Chip: > A recent change in the NLM for NFSv3 has exposed a problem with the > firewall on Redhat/CentOS. > > Connections back to the client are blocked by the firewall because the > connection tracking module is not catching connections as part of the > open NFS connections to the server. >
This is (i think) callback related. The portmapper works such that its users (for example the client-side nfs kernel modules) bind to a tcp port and then registers the port's number with the portmapper. Which means that the user's port number gets randomized, EXCEPT this: --- [sudo root@compaq: /home/stefan]# lsmod |grep nfs nfsd 173890 2 nfs 265921 2 nfs_acl 12463 2 nfs,nfsd auth_rpcgss 32143 5 nfs,nfsd,rpcsec_gss_krb5 fscache 31978 1 nfs lockd 57277 2 nfs,nfsd sunrpc 143904 16 lockd,auth_rpcgss,nfs_acl,nfs,nfsd,rpcsec_gss_krb5 [sudo root@compaq: /home/stefan]# modinfo nfsd filename: /lib/modules/3.2.0-4-686-pae/kernel/fs/nfsd/nfsd.ko license: GPL author: Olaf Kirch <o...@monad.swb.de> depends: auth_rpcgss,sunrpc,lockd,nfs_acl intree: Y vermagic: 3.2.0-4-686-pae SMP mod_unload modversions 686 [sudo root@compaq: /home/stefan]# modinfo nfs filename: /lib/modules/3.2.0-4-686-pae/kernel/fs/nfs/nfs.ko license: GPL author: Olaf Kirch <o...@monad.swb.de> alias: nfs4 depends: fscache,sunrpc,lockd,auth_rpcgss,nfs_acl intree: Y vermagic: 3.2.0-4-686-pae SMP mod_unload modversions 686 parm: callback_tcpport:portnr parm: cache_getent:Path to the client cache upcall program (string) parm: cache_getent_timeout:Timeout (in seconds) after which the cache upcall is assumed to have failed (ulong) parm: enable_ino64:bool parm: nfs4_disable_idmapping:Turn off NFSv4 idmapping when using 'sec=sys' (bool) [sudo root@compaq: /home/stefan]# [sudo root@compaq: /home/stefan]# cat /etc/modprobe.d/local-conf-nfs-fixed-ports.conf options nfs callback_tcpport=2050 options lockd nlm_tcpport=2051 nlm_udpport=2051 [sudo root@compaq: /home/stefan]# ---- The nfs related modules has parameters for using locally defined well-known port numbers and which the firewall can be configured to recognize. I do use NFS4. _______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss