On Mon, May 1, 2023 at 11:11 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
I have been using NFS for decades across a firewall on each computer, no issues. Works fine with SuSEfirewall2.
SuSEfirewall2 queried portmapper and opened ports registered by specific service. Which means it works only if SuSEfilrewall2 is started after the service in question has been started. It works for NFS on boot because SuSEfirewall2 was forced to start after the NFS server and hence after the network was up. But if you restart the NFS service and it happens to pick up different ports, it stops working. And you have a window after your system is reachable over the network but the firewall is yet not active. So yes, it sort of worked ...
firewalld supports up to version 3 of nfs, it has problems with version 4. It is the fault of firewalld, not of iptables or whatever.
What sort of problems? NFSv4 needs one and only port, there are no dynamic ports to open. If anything, firewalld should be having problems with NFSv3 unless you force a static port for mountd.
The problem is that it doesn't know about the dynamic ports it opens.
So how could it possibly support NFSv3 which relies on dynamic ports?
The hack is to make the server use a small range of ports and independently open them.
See the last post. <https://unix.stackexchange.com/questions/243756/nfs-servers-and-firewalld>
You mean the post where he first adds ports 2049 and 20048 as services then adds ports 2049 and some mysterious "default" port 4001 explicitly and then suddenly it turns out that his mountd is using neither of these ports and he adds yet another port for mountd (in spite of adding "mountd" service previously)? Oh yes, this is certainly a very trustworthy source of information.
For openSUSE:
Another post says to just open port 2049/tcp instead.
Yes, this is the only port needed for NFSv4 between client and server (unless you changed the defaults).