[Bug 1067057] New: SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

newer
[Bug 1042644] git: un-bundle sha1...

older
[Bug 1067503] New: plymouth can...

bugzilla_noreply＠novell.com

8 Nov 2017 8 Nov '17

05:59

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 Bug ID: 1067057 Summary: SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Major Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: asnd@triumf.ca QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build Identifier: SuSEfirewall2 version 3.6.312-5.9.1 blocks NFS access, despite the NFS configuration claiming to have the ports open in the firewall. More specifically, the Firewall Yast configuration lists "NFS Client" and "NFS Server Service" under "Allowed Services". Moreover /etc/sysconfig/SuSEfirewall2 contains the line: FW_CONFIGURATIONS_EXT="apache2 apache2-ssl nfs-client nfs-kernel-server sshd" and /etc/sysconfig/SuSEfirewall2.d/services/nfs-kernel-server has: RPC="portmap status nlockmgr mountd nfs nfs_acl" Downgrading from SuSEfirewall2|3.6.312-5.9.1 to SuSEfirewall2|3.6.312-5.6.1 fixed the problem. Reproducible: Always Steps to Reproduce: 1. Have a working NFS server with firewall yesterday 2. Update to SuSEfirewall2 3.6.312-5.6.1 3. Actual Results: Here is an obfuscated line from the firewall log. Nov 07 21:18:07 computername kernel: SFW2-INext-ACC-RPC IN=eth0 OUT= MAC=00:::::::::::::00 SRC=111.111.111.111 DST=222.222.222.222 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17 Expected Results: No firewall blocking of NFS RPC access. -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.3 KB)

Show replies by date

bugzilla_noreply＠novell.com

8 Nov 8 Nov

06:01

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 Donald Arseneau changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |asnd@triumf.ca -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

07:21

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com Assignee|bnc-team-screening@forge.pr |matthias.gerstner@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:34

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c2 Donald Arseneau changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|matthias.gerstner@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #2 from Donald Arseneau --- On another computer, I recorded the difference in iptables (iptables -nL). The older working version of susefirewall2 has several extra rules under Chain input_ext (1 references) target prot opt source destination LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:111 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:111 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:2049 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:2049 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:41695 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:41695 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:45341 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:45341 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:41695 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:41695 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:45341 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:45341 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:34754 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:34754 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:60251 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:60251 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:34754 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:34754 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:60251 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:60251 LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW udp dpt:20048 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20048 LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW tcp dpt:20048 LOG flags 6 level 4 prefix "SFW2-INext-ACC-RPC " ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20048 -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:56

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c3 --- Comment #3 from Donald Arseneau --- (In reply to Matthias Gerstner from comment #1)

...

Can you please provide your /etc/sysconfig/SuSEfirewall2 configuration file and the output of `iptables -L -n -v` when using version 3.6.312-5.6.1 and also when using version 3.6.312-5.9.1.

Ah ha! I sent the differences in the iptables -nL already. The old and new /etc/sysconfig/SuSEfirewall2 are identical. I'm not sure how much extra the -v flag gives for iptables, but here we go... Comments don't seem to have attachments, so I'll add them to the main report. --D -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:04

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access

http://bugzilla.opensuse.org/show_bug.cgi?id=1067057 http://bugzilla.opensuse.org/show_bug.cgi?id=1067057#c4 --- Comment #4 from Donald Arseneau --- Created attachment 747715 --> http://bugzilla.opensuse.org/attachment.cgi?id=747715&action=edit New and bad results from "iptables -nvL" -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:04

New subject: [Bug 1067057] SuSEfirewall2 ver 3.6.312-5.9.1 blocks NFS access