[CentOS] NFS and Linux Firewall Conflict

[Aleksandar Milivojevic]

John Hinton wrote:
> If I run
> 
> showmount -e <my_server_ip>
> 
> from the client, with the firewall set to on on the server, I get
> 
> rpc mount export: RPC: Unable to receive; errno = No route to host
> 
> If I turn it off, I can connect.
> 
> So far, I have 111 and 2049 tcp and udp open and 4002 udp open.
> 
> Anybody know what I'm missing?

Depends what your NFS server is.  Basically, NFS utilizes RPC.  RPC has 
brain damaged design, basically services will listen on randomly 
assigned ports, and portmapper service (port 111) will keep tabs on what 
is where.  Basically, making contacting RPC based service is two step 
process.  First the client connects to portmapper to find out on what 
port actauall RPC service is listening, and than it will connect to that 
port.  This is absolutely incompatible with any non-trivial network that 
includes firewalls.  I don't know what the folks that designed RPC were 
smoking when they designed things this way, but it must have been really 
bad stuff.

Not all is dark.  RPC based services can request to be assigned static 
well known ports, but this is implementation dependant, and not all 
implementations utilize that feature.  NFS implentation on Linux can be 
configured to use static well know ports, so that you can configure 
firewall rules to allow for NFS.  However, if your NFS server is Solaris 
box, no such luck, some of the needed ports will always be dynamically 
assigned.

There's also RPC helper module for Netfilter.  However this module is 
not standard part of Red Hat/Fedora/CeontOS kernels, you'd need to patch 
kernel source with Netfilter's patch-o-matic-ng.  Reason?  Probably 
still not stable enough for prime time.  And myself personally never 
managed to get it working correctly.  This module will be the ultimate 
solution for RPC nightmare, once it gets stable enough for inclusion 
into mainstream kernel.