[opensuse-support] firewalld nfs libreoffice
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, i changed my tumbleweed from susefirewall2 to firewalld problem now: nfs works when i use midnight commander to browse or copy files. nfs did NOT work if i like to open a file on a nfs directory with libreoffice. libreoffice completely stops response. when i stop firewwalld it starts to react again. so i guess some "magic" port must additionally opened (what was before automatically opened in susefirewall2) ================ my setup: i have serveral tumbleweed (and older opensuse) systems, using nfs as host and client to be able to go from every computer to every other (all only ipv4 systems, ipv6 disabled, static addresses). was working fine with tumbleweed and susefirewall2 in yast2 firewalld assigned to my network bridge and adapter "home" and opened/set up for for "home": mdns (no idea what it is for, it was open) 5353 udp mountd (without this nfs not working) 20048 tcp 20048 udp nfs3 (without this nfs not working) 2049 tcp 2049 udp rpc-bind (without this nfs not working) 111 tcp 111 udp samba (beause i later on need also a samba server running) 139 udp+tcp 445 udp+tcp (did i need other things to open??? (like for nfs????)) ssh 22tcp x11 (needed for SOME graphical ssh output) 6000-60063 udp+tcp ===================== question a) what port (service name) i miss here to get the nfs also with libreoffice to work. question b) how did i see in an old setup (susefirewall2) what ports are open (not the service names inside yast2 these where in my old setup ONLY NFS-client NFS-server SSH-server but there must be more ports behind this "synonyms" than in the new firewalld-yast setup) question c) how did i see in a firewalld setup (or some log file) what port libreoffice was ask for an was blocked. question d) did i have to open for samba more ports(service-names-in-yast) (as i also need not only "nfs3" for nfs (+mountd+rpc-bind) =============================== thanks in advance simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbH4ObAAoJEOuDxDCJWQG+XHYQAJbMT67N6MRZX8e4RJQ/WEYY D+/oqcfohd/owm66/5ATmReUhfo3FJKHo4RHBSHmTGMu8s5LHwjLnHfFxITYJAZj zM6bp8THu45QjycALuLFeR7HUBnXnuMbc9stZeRctrkdIPz3rqJGgvcs2WBvQcU8 Z/GiJvpN1hNBYmnLaykLCvseY4NsNYg53RylGymLrYfy40wZOtfFyZoikvsSYM3v H3OX8AgWBvDoDE7tpyYzlh8AZoTxDo/us0Oq9Jf8YeqSWnK/ufoCMkBd3C2nA+EN l022mwPT+ETjaTnGvjSuUzpgL4ayEcG+K5UAv6T/LBF4koC3NTWLen4TkGdXau4c ihzQrfYYDRzVLWsL5JJvA/61svOVPK5/tmsX68zWTAW42k6V3GudvltLfkCE6En5 qJR0Ld7+zn/DcnlXfh6Au8zyHDROcctktoMDeUWG5OkSqkQ7uJs9CpC97gga9gUz OQYmECHRyutq0mwSemdhcTW5lif0ijIYCwpwsAcjphmJSK8KCI6QbMY7Cs4+Db/7 y+nGuBBbBhs3H6OQkbY8Q2GaFLly8Z7N/WGfpzB/Do7PZqnz40wMWXhOFb03Qt0M v6TkwEka0/duoLjJHBSwOBJ6T10VQtKXYKuulQx2dtsJC0eBPRWE1GdMsavB9dpH DA/sYicXNBFjPKlvzehq =UTCy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Additional information: When i klick in libreoffice "readonly" it will open the files. so it must have something to do with the attemp to set this file "opened by another instance" (what i would see normally if i try to open such a file at same time on an other computer. simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbH4ZKAAoJEOuDxDCJWQG+kN8P/3z8ybSE5rWJZZr56f/gmhVN ay68WZSJkpLRvBBCfLH0nsPhKzuNcU57yOj+EAKNoULW0vG4s7MCGVyRCWr0P9En u7UszH49HzWVsxTEHPgbfJo/VnmWtUp9W+a7xMuWWct+btWtY8Pra/v321sFRGSJ rkRWYhmnKt7ank1YGriJJn+5XVhEmVgErTM2RKiNkeci2/aoAaPc9zKFrcWh5nQC LieMRkhxcVCWteLlrOtVpGQg3muqWtjSjgo/r40sb6nR8cJMmwyDyRAMQg3q36NV tmxW7SmTOcEeqrjDZlGZRz3j80fHMlKO+XjFVHjUQi+JBioWj5ne5pqcjdQOfWRr gv7I0/XgoL/QePoiGC7ukrM5+qeROCu9HfZ9OHHoa9b71uAIpT79s6imC5ZY7i1V NbkDnNIVONZjB6kpsCpAZQRxJILre5TsDi2SGYzEdTDz+XkQPngDHoeW07ooK6fF qTICGPmgWMFEio++pO++S9OCrKDSrbMHJg29DP+6LZMGr4hI4BlMZac+VFtCMCht UwJU4WZtGZxOIlXNNDvBpQMedD6zmmNTUzuNQYYGwfHgwbwVb7AV4CgVfHgQw+qS SqqWI8v08+sifQ9PQLPXCKNQ1nKIpV7hLfiZowVgNk4oufkL3mQfhMWHtpE9FKTw Lyp0RyWuIi2SoV3P+qvR =H6iD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I but found out that: rpcinfo -p shows me for "status" and for "nlockmgr" on all machines different ports, so i read after searching, that this ports normally will be assigned dynamically different. ok, so far. BUT why was this setup working with SUSEfirewall2 and NOT with firewalld i have not changed anything to my nfs settings. how made the trick to let firewalld find and open this dynamically changing port-numbers as (it must be i think) susefirewall2 has done automatically??????????? or is the only solution to gave here fix numbers? i found hundred of hits at a search, but this would be a back-step in compare to susefirewall2 and this i will not believe.... please help..... simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbH/NtAAoJEOuDxDCJWQG+guYP/3a7I+AlLjsp/eQpttVBcCCU y/U1WOacSRDhdBLV3oePCx4dqOL9TLMqVt8RmOyWDQQonsD0/xR6rqmc3incRZZR PQhJvdBMnhNO0HytsAxLgXbru5zZfkeM5NZcCW8/ABQMlSen6i6QRe3v43gikLG/ o9a4GBxdgsogggXHqmDVKbqMWQumRY3oq79wc0wbVoYsW2nf9QjF3FKDtImvewZF bffSFOTNHF8aY2r9AXAMvp3Zd1EIpYkXI+SnVpakoTUw/8OXBxwIO7CpR4n2hHLO GhEZVooAnVkS3lnC8M4PNktqgTGFBHqAYXln1ndQoFJv6SRCphRG1qfCV15fTwyk gML+y1BearRmqfyaJgsmxIpNLJtxjpmIR14ObXdU4CRdwYElJU/K/gMYKi0Celll eISc1z9pPxyLFQHusTov7O0WJHvlOp7saxvRGtdRPPoJtjdyxZzn3PAESKhFELG5 ImXnBlEc5ZHfbBWarq1uw7ZQFFesFiEh/A4XSRc4KFsyeB7wif0nOEH1FJQX8hAk x60MUf3WFpZ+UhVptJGh2MVa6n1gUkSbHmL1KQGpi5oofA9z9NzEidX8zqkIfF1Y 72yDmIx+DEwBs79j4skVDxIfu4jl10koy0acIlJFVHjCy9Bnjv8dcBeA94eVc83d Zr4vdgz9/q6cd03QJTJM =yJEl -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 2018-06-12 18:23, Simon Becherer wrote:
I but found out that:
rpcinfo -p
shows me for "status" and for "nlockmgr" on all machines different ports, so i read after searching, that this ports normally will be assigned dynamically different. ok, so far.
BUT why was this setup working with SUSEfirewall2 and NOT with firewalld
i have not changed anything to my nfs settings.
how made the trick to let firewalld find and open this dynamically changing port-numbers as (it must be i think) susefirewall2 has done automatically???????????
or is the only solution to gave here fix numbers? i found hundred of hits at a search, but this would be a back-step in compare to susefirewall2 and this i will not believe....
Indeed SuSEfirewall2 knows how to handle those dynamic ports. The words "rpc" apply: FW_SERVICES_EXT_RPC="mountd nfs" FW_CONFIGURATIONS_EXT="nfs-client nfs-kernel-server" FW_SERVICES_ACCEPT_EXT="192.168.1.0/24,_rpc_,nfs 192.168.1.0/24,tcp,nfs" FW_TRUSTED_NETS="192.168.1.0/24,tcp,nfs" How any of that is done with firewalld I have no idea, sorry. -- Cheers / Saludos, Carlos E. R. (from openSUSE, Leap 15.0 x86_64 (ssd-test)) -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks carlos, Am 12.06.2018 um 20:53 schrieb Carlos E. R.:
Indeed SuSEfirewall2 knows how to handle those dynamic ports. The words "rpc" apply:
FW_SERVICES_EXT_RPC="mountd nfs"
FW_CONFIGURATIONS_EXT="nfs-client nfs-kernel-server"
FW_SERVICES_ACCEPT_EXT="192.168.1.0/24,_rpc_,nfs 192.168.1.0/24,tcp,nfs"
FW_TRUSTED_NETS="192.168.1.0/24,tcp,nfs"
How any of that is done with firewalld I have no idea, sorry.
it seems, it just lack this feature. see my other mail, regards, simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbIBmaAAoJEOuDxDCJWQG+dMoP/i8rxFbwOKkiKDz5IfO4H9z1 IbnRx6+z6Z7oZuppzyfNQzwoin907NtT9qIc2yfwXw7PGFeFtReiqe4VdQpVEUUM sl0Xuxv/63pqlhcIDScK38k2Kh/vi775uP1bE/789/P80l8faAHxKzBjpERdyDEr E+3txyeEPBGUapGkqyZbJsLN1EnuU5oLNivEqDZm/GVV9rFCNY4uQQPAhKV1z8Z/ u7ySuGUrHk81jzkk+OebYGSIV6J1eekvF50cqh1c9HWfNNCxyBhiO6Lp62/qYzjS wKFRic9ThAAf/01yNxZRCzJ/a2JAw6Blkw1+L4OOgGPSlv4yfeGrJE9BKYzb+saZ DnyRneBhqZOFQVyFwq8pjtrEem4DG7yIAx42+L3wR1YzBymRXkH/fy5zuYaqoaaX lJEqFG/qcDGjXxpB+tN3k9FsRIjAFA3NS9zXi3W2sQQHt1LqC/63IYVeDT12Nazr 9LmdLaHD7oK/AQZpUBGl/wUr5t8/n+7dYcTGBKsXiT+w6fvLwF5ciSm0R3pi9My3 WRXhdLOGcJfOosR7LF4TX2hJ1zGcGSmA0MraS2uCiIkRbnEBv0gZiYNsi6p4vU7G AIymKhN8k5Dttx7oi2aQM+sbIcXLmvrkebs0mkzOc3IjwyztenkPuBQbV5OrQI9L IWskg8YXn44A0tOoAJY3 =eshk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On Tuesday, 12 June 2018 09:26:03 BST Simon Becherer wrote:
Hi,
i changed my tumbleweed from susefirewall2 to firewalld
problem now:
nfs works when i use midnight commander to browse or copy files. nfs did NOT work if i like to open a file on a nfs directory with libreoffice. libreoffice completely stops response. when i stop firewwalld it starts to react again.
so i guess some "magic" port must additionally opened (what was before automatically opened in susefirewall2)
================ my setup: i have serveral tumbleweed (and older opensuse) systems, using nfs as host and client to be able to go from every computer to every other (all only ipv4 systems, ipv6 disabled, static addresses). was working fine with tumbleweed and susefirewall2
in yast2 firewalld assigned to my network bridge and adapter "home" and opened/set up for for "home":
mdns (no idea what it is for, it was open) 5353 udp
mountd (without this nfs not working) 20048 tcp 20048 udp nfs3 (without this nfs not working) 2049 tcp 2049 udp rpc-bind (without this nfs not working) 111 tcp 111 udp
samba (beause i later on need also a samba server running) 139 udp+tcp 445 udp+tcp (did i need other things to open??? (like for nfs????))
ssh 22tcp x11 (needed for SOME graphical ssh output) 6000-60063 udp+tcp
===================== question a) what port (service name) i miss here to get the nfs also with libreoffice to work.
question b) how did i see in an old setup (susefirewall2) what ports are open (not the service names inside yast2 these where in my old setup ONLY NFS-client NFS-server SSH-server but there must be more ports behind this "synonyms" than in the new firewalld-yast setup)
question c) how did i see in a firewalld setup (or some log file) what port libreoffice was ask for an was blocked.
question d) did i have to open for samba more ports(service-names-in-yast) (as i also need not only "nfs3" for nfs (+mountd+rpc-bind)
Not answering your question directly but firewalld's nfs profile is only for nfsv4 you need to include nfs3 as well to cover the udp ports -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks andrew, Am 12.06.2018 um 18:32 schrieb Andrew Colvin:
Not answering your question directly but firewalld's nfs profile is only for nfsv4 you need to include nfs3 as well to cover the udp ports
Am 12.06.2018 um 18:23 schrieb Simon Becherer
i have not changed anything to my nfs settings.
how made the trick to let firewalld find and open this dynamically changing port-numbers as (it must be i think) susefirewall2 has done automatically???????????
or is the only solution to gave here fix numbers? i found hundred of hits at a search, but this would be a back-step in compare to susefirewall2 and this i will not believe....
for the hint, but thats not the point, i found now (after another 2 hours) that there's a package called: firewalld-rpcbind-helper and inside the README.md file of this package i found: ========================= ... snip: While most features of *SuSEfirewall2* have an equivalent in *firewalld* there is one major feature missing: The support for rpcbind based protocols like NFSv3 and ypserv/ypbind. ... snip ========================== with other words, its a back-step: there is no possibility to get firewalld running with the nfs3-stuff-random-ports assigned over rpcbind ========================= and if anybody else read this, i really try to use correct mail-lists, try to be a part of the community, and try also to help to others if i know something. now let me say, i am disappointed about this list, IF this should be the "official support list" of opensuse, then there should be some official guys around, and - after now knowing what my problem is and after also found a official document who explain it, this problem should be, for official guy's, easy to point me to this, because it seems also related to updates to leap 15. for me it waste nearly the whole day with digging blind around.... of course learned a lot but the learning would be also done in a half an hour after point me to this. and of course i know, there is no law to get help here. but with all the discussions of this list...., - i get now off topic and will stop- simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbIBitAAoJEOuDxDCJWQG+CJkP/3TRAgzL66tmUQydkQ7IHyFg 0+7RHXVjSISWJQvhY59eX2enuKrs6z4XZ+a8509ehWHWngBMdQsX9pYb+pSIQ5Fp oFsXRE+nyKDe4d7VX97u9GlbHW93lK+93yg3B4lvau89G3PMSj7ukqLQCJ+bUM0F YNip91ZZTETqA2lzFKoZp08YLCCN3Tp7+SFhpUi+PLj6rDLBtzK0M70x18R6CvW0 ExGgo5XWPMrBBBQDFxCRjZRfwCiubW4cRxMIdA3jKyX75gLWqoRoipE/v6utL8os K6lsBLouuvmn06+JFguqgvin17ueqcP8apPkSNu5yMqPzUnvfROJYifAsLUii/5Y Ez0r/Fck2tHyqUOABfucksPC1hRDpFgr+JoIRQ9Jim7BmOpgo+iFREciF8fIhpUX d6LcAG/zWoI5o6YMhaa4SG70H2l5FjxcAoiv5EDl2AQvDsp7zGteJ78Q5vq8MJps bOIjPgQEniO+iiWCHruGwFckoVQqWqs+qCstN7uOrM7VCjqpgJG2uJ6eLcRujI6o Zc0thhWkTVLrptOZOdVx9VqFG6Rp5oCdn6Ppa0zaRzXNqGkqjNtXCDNnmQAieE4N LAIkn70WIjKHti7mUH1G4Rpfl2Ewrdt9XzjLPrAp6zkZ6eWza+X10ACbwxTjYuzz nsoOVohNlEyw8yD+ayiP =rlug -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On Tuesday, 12 June 2018 20:02:05 BST Simon Becherer wrote:
Thanks andrew,
Am 12.06.2018 um 18:32 schrieb Andrew Colvin:
Not answering your question directly but firewalld's nfs profile is only for nfsv4 you need to include nfs3 as well to cover the udp ports Am 12.06.2018 um 18:23 schrieb Simon Becherer
i have not changed anything to my nfs settings.
how made the trick to let firewalld find and open this dynamically changing port-numbers as (it must be i think) susefirewall2 has done automatically???????????
or is the only solution to gave here fix numbers? i found hundred of hits at a search, but this would be a back-step in compare to susefirewall2 and this i will not believe.... for the hint, but thats not the point, i found now (after another 2 hours) that there's a package called: firewalld-rpcbind-helper
and inside the README.md file of this package i found:
=========================
... snip:
While most features of *SuSEfirewall2* have an equivalent in *firewalld* there is one major feature missing: The support for rpcbind based protocols like NFSv3 and ypserv/ypbind.
... snip
========================== with other words, its a back-step: there is no possibility to get firewalld running with the nfs3-stuff-random-ports assigned over rpcbind =========================
and if anybody else read this, i really try to use correct mail-lists, try to be a part of the community, and try also to help to others if i know something. now let me say, i am disappointed about this list, IF this should be the "official support list" of opensuse, then there should be some official guys around, and - after now knowing what my problem is and after also found a official document who explain it, this problem should be, for official guy's, easy to point me to this, because it seems also related to updates to leap 15.
Thanks for pointing this out - I will now avoid falling into this trap by making sure my vlans carrying NFS traffic are trusted when I switch and make sure they are on nfs4 - good spot -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On 2018-06-12 21:02, Simon Becherer wrote:
Thanks andrew,
...
for the hint, but thats not the point, i found now (after another 2 hours) that there's a package called: firewalld-rpcbind-helper
and inside the README.md file of this package i found:
=========================
... snip:
While most features of *SuSEfirewall2* have an equivalent in *firewalld* there is one major feature missing: The support for rpcbind based protocols like NFSv3 and ypserv/ypbind.
Oh, my :-(
... snip
========================== with other words, its a back-step: there is no possibility to get firewalld running with the nfs3-stuff-random-ports assigned over rpcbind =========================
:-/ Thanks for finding this. This info should be on the release notes, IMHO. -- Cheers / Saludos, Carlos E. R. (from openSUSE, Leap 15.0 x86_64 (ssd-test)) -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On Tue, 12 Jun 2018 21:02:05 +0200 Simon Becherer <simon@becherer.de> wrote:
for the hint, but thats not the point, i found now (after another 2 hours) that there's a package called: firewalld-rpcbind-helper
and inside the README.md file of this package i found:
=========================
... snip:
While most features of *SuSEfirewall2* have an equivalent in *firewalld* there is one major feature missing: The support for rpcbind based protocols like NFSv3 and ypserv/ypbind.
... snip
========================== with other words, its a back-step: there is no possibility to get firewalld running with the nfs3-stuff-random-ports assigned over rpcbind =========================
This is a showstopper for me as well. Unless there's an answer/fix soon, I shall have to remove firewalld and use another firewall eg. shorewall. I generally prefer to use what is packaged with the distribution, but the new firewall does not seem ready yet. :-( Bob -- Bob Williams System: Linux 4.12.14-lp150.12.4-default Distro: Desktop: KDE Frameworks: 5.45.0, Qt: 5.9.4 and Plasma: 5.12.5
On 2018-07-03 11:00, Bob Williams wrote:
On Tue, 12 Jun 2018 21:02:05 +0200 Simon Becherer <> wrote:
for the hint, but thats not the point, i found now (after another 2 hours) that there's a package called: firewalld-rpcbind-helper
and inside the README.md file of this package i found:
=========================
... snip:
While most features of *SuSEfirewall2* have an equivalent in *firewalld* there is one major feature missing: The support for rpcbind based protocols like NFSv3 and ypserv/ypbind.
... snip
========================== with other words, its a back-step: there is no possibility to get firewalld running with the nfs3-stuff-random-ports assigned over rpcbind =========================
This is a showstopper for me as well. Unless there's an answer/fix soon, I shall have to remove firewalld and use another firewall eg. shorewall. I generally prefer to use what is packaged with the distribution, but the new firewall does not seem ready yet. :-(
Well, open bugzillas so that they are aware. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Hi bob, Am 03.07.2018 um 11:00 schrieb Bob Williams:
This is a showstopper for me as well. Unless there's an answer/fix soon, I shall have to remove firewalld and use another firewall eg. shorewall. I generally prefer to use what is packaged with the distribution, but the new firewall does not seem ready yet. :-(
as i have answered already in the other mails on 28.06.2018 14:31 Re: [opensuse-support] New firewall in Leap 15 blocks NFS server if you install the package firewalld-rpcbind-helper and hack in the lines i have written there it will work, of course with static ports. simoN www.becherer.de -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
Hi simoN, On Thu, 05 Jul 2018 16:49:08 +0200 Simon Becherer <simon@becherer.de> wrote:
Hi bob,
Am 03.07.2018 um 11:00 schrieb Bob Williams: [..] but the new firewall does not seem ready yet. :-(
as i have answered already in the other mails on 28.06.2018 14:31 Re: [opensuse-support] New firewall in Leap 15 blocks NFS server
if you install the package firewalld-rpcbind-helper and hack in the lines i have written there it will work, of course with static ports.
Thanks. I must have missed that. Bob -- Bob Williams
participants (4)
-
Andrew Colvin -
Bob Williams -
Carlos E. R. -
Simon Becherer