[opensuse] My SuSEfirewall2 is blocking things I want to allow, and I can't
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I get some of these: <0.4> 2018-06-21 13:56:45 Telcontar kernel - - - [169799.461256] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:1c:83:41:1b:d8:33:08:00 SRC=192.168.1.127 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54173 DF PROTO=TCP SPT=721 DPT=46766 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080ACD82FEF50000000001030307) <0.4> 2018-06-21 13:56:50 Telcontar kernel - - - [169804.957656] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:26:9e:95:62:d9:08:00 SRC=192.168.1.129 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60573 DF PROTO=TCP SPT=844 DPT=46766 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A03DFEA100000000001030307) <0.4> 2018-06-21 13:57:18 Telcontar kernel - - - [169832.229481] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:1c:83:41:1b:d8:33:08:00 SRC=192.168.1.127 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54174 DF PROTO=TCP SPT=721 DPT=46766 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080ACD837EF30000000001030307) <0.4> 2018-06-21 13:57:22 Telcontar kernel - - - [169837.021554] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:26:9e:95:62:d9:08:00 SRC=192.168.1.129 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=60574 DF PROTO=TCP SPT=844 DPT=46766 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A03E009600000000001030307) PROTO=TCP SPT=721 DPT=46766 SRC=192.168.1.127 DST=192.168.1.14 PROTO=TCP SPT=844 DPT=46766 SRC=192.168.1.129 DST=192.168.1.14 They are from two laptops; the .129 runs Leap 42.2, the .127 runs Leap 15.0. It happens just after mounting via nfs the root directory of each, then they seem to stop. The problem is, the destination port changes. /etc/sysconfig/SuSEfirewall2 on the client (desktop) has: FW_CONFIGURATIONS_EXT="bind nfs-client nfs-kernel-server ntp sshd" FW_SERVICES_ACCEPT_EXT="192.168.1.0/24,_rpc_,nfs 192.168.74.0/24,_rpc_,nfs \ fe80::/64,udp,5353 fc00::/64,udp,5353" FW_TRUSTED_NETS="... 192.168.1.127,tcp,imap 192.168.1.127,tcp,imaps\ 192.168.1.127,tcp,ftp 192.168.1.127,tcp,ftp-data 192.168.1.129,tcp,http \ 192.168.1.127,tcp,30000:30100 \ 192.168.1.127,tcp,nfs 192.168.1.127,udp,sunrpc 192.168.1.129,tcp,rsync \ ... " So nfs and sunrpc are allowed. Plus service _rpc_,nfs The nfs mounts are working fine,as far as I can see, and they are using protocol 4. /etc/exports: / 192.168.1.14(rw,no_root_squash,sync,nohide,no_subtree_check,insecure,crossmnt) \ 192.168.1.16(rw,no_root_squash,sync,nohide,no_subtree_check,insecure,crossmnt) \ 192.168.1.129(rw,no_root_squash,sync,nohide,no_subtree_check,insecure,crossmnt) /etc/fstab: Minas-Tirith:/ /mnt/nfs/Minas-Tirith nfs4 noauto,nofail,_netdev,user,users,lazytime 0 0 Legolas:/ /mnt/nfs/Legolas nfs4 noauto,nofail,_netdev,user,users,lazytime 0 0 Telcontar:~ # mount -v /mnt/nfs/Legolas mount.nfs4: timeout set for Thu Jun 21 13:58:13 2018 mount.nfs4: trying text-based options 'addr=192.168.1.127,clientaddr=192.168.1.14' Telcontar:~ # mount -v /mnt/nfs/Minas-Tirith mount.nfs4: timeout set for Thu Jun 21 13:58:19 2018 mount.nfs4: trying text-based options 'addr=192.168.1.129,clientaddr=192.168.1.14' Telcontar:~ # The firewalls on the laptops can not be compared, the new is firewald, the old SuSEfirewall2. But the problem happens on the client. So, ideas? What should I open on the firewall(s)? - -- Cheers Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlsrmJQACgkQtTMYHG2NR9UacwCeK1gdZ1Nqjfq4uLJFBwX2wVs9 1WIAnjLRUr6JIq7vMoylTWlniViDWjzq =Q3AR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi carlos, did i understand correct, the client stopped respond, if it connect to a computer firewalld is installed? if so then: take a look at my mails in opensuse-support "Re: [opensuse-support] firewalld nfs libreoffice" you have to assign fixed ports for nfs (server-stuff) its easy to do with the script mentoned there. it will also create a new firewalld-entry for you with the fixed ports to open. install firewalld-rpcbind-helper.rpm and run it, there are also examples there, and if you like, make a bugreport, the examples use for the name of the script not "firewall-rpc-helper.py". (but they should) simoN - -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbK6d2AAoJEOuDxDCJWQG+mecP/2Eemv7HJZN3djQ+0IVu2v34 VpVMDWT5mdOtLX5F0UDawR9RN2+OUkK6l3tJUfmsDIUr3uJiyuU1VZDgG7yTgumj Bd47Ia7aLCLuCs6gLJNrb4vp7TILP2f8TpmInS7/ttIE9UfhoLU65SJiGmLMoeTV d2YLydeYfNxYchqYM6WU6s+AMgxYdTKMo0U5Vehz5cnV9alsUj80blxwiQtqCchw EZTW32SDY9Ty91Ny7RxbV31WgQnFKU1Rd84mxi3BiiTo8EPl2JMS3A3buziill9U i8rrxn+59CGT+slf55G+EfeNsfIw0te81c0kDOdQtnz31xbyk8P5vdqOTdG/ZNG+ rDL9bPBS5I6BLPAjq6cwBwKmGRAyb423hPGUSljynEVBXfVSY0pqzJSc9TbKnz13 KnkansGvGndBPOpjNAakXTjAZtZeP805tS/hkyH42VVdJ+IFivK37g4QJFMxO5KQ l4p2wlF6nnt5fCg4v3lpWCsbtzNDxJ9XNkw8WmfNwklaXmXCq8SI4yNhEa18Z3Bj eeCocwKp605MeRB9nOdUvzw90MJQR6wvkvcc6CvJMYMrx4yMTCWOeLujcmO0B7XL /sjsKtzk8q7UfdIXJ7K7Tw37ljScwpJTun1qaD5k7dtH6S2/QzL6EGNDvx4VSt8t A6aLkPjJvY10X1r7w6Iy =8WTs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-21 15:26, Simon Becherer wrote:
Hi carlos,
did i understand correct, the client stopped respond, if it connect to a computer firewalld is installed? if so then:
No, both client and server are working fine.
take a look at my mails in opensuse-support
"Re: [opensuse-support] firewalld nfs libreoffice"
you have to assign fixed ports for nfs (server-stuff) its easy to do with the script mentoned there. it will also create a new firewalld-entry for you with the fixed ports to open.
install firewalld-rpcbind-helper.rpm
and run it, there are also examples there, and if you like, make a bugreport, the examples use for the name of the script not "firewall-rpc-helper.py". (but they should)
I remember that thread, but I use nfs4, not affected. And the client machine is using Leap 42.3, so not firewalld. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, sorry, then i have not understand your issue.
I remember that thread, but I use nfs4, not affected. And the client yes, correct. shure it will not fallback to nfs3? (i do not know if this is possible)
And the client machine is using Leap 42.3, so not firewalld. if!! using nfs3 the server-firewalld is important. client could be susefirewall2 but client will/could stop respond. simoN
- -- www.becherer.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBAgAGBQJbK6sEAAoJEOuDxDCJWQG+1R4QAJhR+NFkPUuLcEoNPkpIUrm4 fdn4QpS3rvIf5eU3lyAMVbXfjduUwrX+SlD6Cw3aQNAQecswar7gbmiH6ewhzotx 9GTiaLkATUcrdVg2BzwnrDel3CykFJ0R9qLD0bJM5lT3Obq7RTjNJLPAjiWXJHsF oL46nyN888083N9nx2IhxXQvFUn2+RNFjjCdZzNlsTK4rE3hx8h9GYbJSRdikg/L 9ROWEbkW5NrS2Gbci3Sn0fXyjR4uoLvKjxSl9J9BjCVHr0FRRyw0WFU8e6eZUm0u zcjZTogcHlwZZpFcbVDTqhCUM0Fw+pWyklq0fEioJ31r11bJR5I25dZkidFN+e9J +cFB2eICP/K9RMlOvbEflKtNRBMqfRsDZVquQntJkHFYJPPQrU07UFxJRaSOlwrV 4Yr1OJnFsXMPfu8iw9wkp6NVO7xUYnOdNDNlL7KlUeki0YUo4hrQAz8MZrlZ3MSF LOhFGWmFxk1DaHoYKM8lTjxUjgyof3odqfZ3rqb/ayJMbKoxjmksMDQEdJavVeIj 3509LKd+9xkpNFIMM47dVoMRGg3OBJMdwTPqvil+nXHrm3iN3F++mdVT1TIrhJqd fqFvJp2q8Ijh6y5QZ6B/u5L4G+KAU7gHC9tF/107jR5XHP14wkBqemjQKMZxVmxE QUp+gGJMmxxInoRY+8hR =to5b -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Simon Becherer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ok, sorry, then i have not understand your issue.
I remember that thread, but I use nfs4, not affected. And the client yes, correct. shure it will not fallback to nfs3? (i do not know if this is possible)
When you specify mount type as "nfs", mount will attempt v4 and fall back to v3. -- Per Jessen, Zürich (25.4°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-06-21 18:18, Per Jessen wrote:
Simon Becherer wrote:
Ok, sorry, then i have not understand your issue.
I remember that thread, but I use nfs4, not affected. And the client yes, correct. shure it will not fallback to nfs3? (i do not know if this is possible)
When you specify mount type as "nfs", mount will attempt v4 and fall back to v3.
But I know that nfs4 succeeds: Telcontar:~ # mount -v /mnt/nfs/Legolas mount.nfs4: timeout set for Thu Jun 21 13:58:13 2018 mount.nfs4: trying text-based options 'addr=192.168.1.127,clientaddr=192.168.1.14' Telcontar:~ # mount -v /mnt/nfs/Minas-Tirith mount.nfs4: timeout set for Thu Jun 21 13:58:19 2018 mount.nfs4: trying text-based options 'addr=192.168.1.129,clientaddr=192.168.1.14' Telcontar:~ # -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
participants (3)
-
Carlos E. R. -
Per Jessen -
Simon Becherer