[Bug 1067057] New: SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 Bug ID: 1067057 Summary: SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Major Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: asnd@triumf.ca QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build Identifier: SuSEfirewall2 version 3.6.312-5.9.1 blocks NFS access, despite the NFS configuration claiming to have the ports open in the firewall. More specifically, the Firewall Yast configuration lists "NFS Client" and "NFS Server Service" under "Allowed Services". Moreover /etc/sysconfig/SuSEfirewall2 contains the line: FW_CONFIGURATIONS_EXT="apache2 apache2-ssl nfs-client nfs-kernel-server sshd" and /etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server has: RPC="portmap status nlockmgr mountd nfs nfs_acl" Downgrading from SuSEfirewall2|3.6.312-5.9.1 to SuSEfirewall2|3.6.312-5.6.1 fixed the problem. Reproducible: Always Steps to Reproduce: 1. Have a working NFS server with firewall yesterday 2. Update to SuSEfirewall2 3.6.312-5.6.1 3. Actual Results: Here is an obfuscated line from the firewall log. Nov 07 21:18:07 computername kernel: SFW2-INext-ACC-RPC IN=eth0 OUT= MAC=00:::::::::::::00 SRC=111.111.111.111 DST=222.222.222.222 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17 Expected Results: No firewall blocking of NFS RPC access. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
Donald Arseneau
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c2
Donald Arseneau
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c3
--- Comment #3 from Donald Arseneau
Can you please provide your /etc/sysconfig/SuSEfirewall2 configuration file and the output of `iptables -L -n -v` when using version 3.6.312-5.6.1 and also when using version 3.6.312-5.9.1.
Ah ha! I sent the differences in the iptables -nL already. The old and new /etc/sysconfig/SuSEfirewall2 are identical. I'm not sure how much extra the -v flag gives for iptables, but here we go... Comments don't seem to have attachments, so I'll add them to the main report. --D -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c4
--- Comment #4 from Donald Arseneau
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c5
--- Comment #5 from Donald Arseneau
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
Aaron Burgemeister
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c13
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c14
Dimitri De Zordi
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c15
--- Comment #15 from Dimitri De Zordi
I fixed the issue by adding
-A input_ext -s 192.168.0.0/24 -p udp -m udp --dport 111 -j ACCEPT
I can't check if the port mapper is accessible from the outside of the network despites the source address restriction... but all my nfs clients can access the exports. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057
http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c16
Andreas Stieger
participants (1)
-
bugzilla_noreply@novell.com