[Bug 874110] New: nfsserver should restart SuSEfirewall
https://bugzilla.novell.com/show_bug.cgi?id=874110 https://bugzilla.novell.com/show_bug.cgi?id=874110#c0 Summary: nfsserver should restart SuSEfirewall Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: nfbrown@suse.com ReportedBy: jslaby@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- When I boot my system without running nfsserver, SuSEfirewall rules do not contain all the nfs ports even though I have configured SuSEfirewall to allow nfs-kernel-server service. I have to start nfsserver and then restart SuSEfirewall. Only then I see in iptables: 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:32905 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:51865 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:37778 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:50860 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:60436 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:59006 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:56771 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:41310 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:56771 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:41310 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:sunrpc 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:sunrpc 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:58117 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:37806 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:58117 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:37806 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:nfs 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:nfs IMO it should be there either since boot after SuSEfirewall starts or the nfsserver service should restart the firewall to reload and put the rules there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=874110 https://bugzilla.novell.com/show_bug.cgi?id=874110#c1 Neil Brown <nfbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #1 from Neil Brown <nfbrown@suse.com> 2014-04-24 03:39:31 UTC --- I'm sure you are right, but I have no idea how that should work. Marcus, you seem to be listed as maintainer for SuSEfirewall2. Is there some way I can trigger a firewall update after nfsserver has started? I probably want to do something different between then nfsserver is started at boot and when it is started later ??? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=874110 https://bugzilla.novell.com/show_bug.cgi?id=874110#c2 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |meissner@suse.com InfoProvider|meissner@suse.com | --- Comment #2 from Marcus Meissner <meissner@suse.com> 2014-04-24 12:45:38 UTC --- SuSEfirewall2 sets up a static setup. It could be reloaded for instance. "SuSEfirewall2 start" will restart the firewall. Not sure how the rules above get imported, are they specified via __rpc__ ? how did you configure it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=874110 https://bugzilla.novell.com/show_bug.cgi?id=874110#c3 --- Comment #3 from Jiri Slaby <jslaby@suse.com> 2014-04-24 12:51:27 UTC --- (In reply to comment #2)
SuSEfirewall2 sets up a static setup.
It could be reloaded for instance.
"SuSEfirewall2 start"
will restart the firewall.
Or there is a FW systemd service file. So what I do is: systemctl restart nfsserver.service && systemctl restart SuSEfirewall2.service The latter should perhaps be: systemctl reload-or-try-restart SuSEfirewall2.service
Not sure how the rules above get imported, are they specified via __rpc__ ? how did you configure it?
Via yast. I enabled nfs server. I see this in /etc/sysconfig/SuSEfirewall2: FW_CONFIGURATIONS_EXT="nfs-client nfs-kernel-server" and /etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server subsequently says: grep -vE '^$|^#' /etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server TCP="" UDP="" RPC="portmap status nlockmgr mountd nfs nfs_acl" IP="" BROADCAST="" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=874110 https://bugzilla.novell.com/show_bug.cgi?id=874110#c4 --- Comment #4 from Neil Brown <nfbrown@suse.com> 2014-04-29 05:43:06 UTC --- The key issues is that the "RPC" setting require SuSEfirewall2 to query rpcbind to find out what port they are listen on so that port can be allowed through the firewall. These ports are only determined when the daemon starts up so if SuSEfirewall2 is started before the daemon it cannot get it right. i.e. we have to restart SuSEfirewall2 after any rpc daemons are started. This is also a problem with 'statd' which can be started at mount time by /usr/sbin/start-statd. At one stage I explicit restated the firewall in that script but I recently noticed that was reverted without me being told: Mon Jan 31 07:49:03 UTC 2011 - lnussel@suse.de - don't run SuSEfirewall2 from start-statd script. If SuSEfirewall2 is installed and enabled it will be called at the end of the boot process anyways (bnc#668181). which was the wrong fix for that bug in my opinion.... We either need an easy way to tell the firewall to recalculate things (maybe just "systemctl restart SuSEfirewall2"??) or we need to give up on using dynamically assigned port numbers. I think all of those daemons can use static assignments but it requires a bit of effort setting up and requires someone to choose the numbers.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com