John Hinton wrote:
If I run
showmount -e <my_server_ip>
from the client, with the firewall set to on on the server, I get
rpc mount export: RPC: Unable to receive; errno = No route to host
If I turn it off, I can connect.
So far, I have 111 and 2049 tcp and udp open and 4002 udp open.
Anybody know what I'm missing?
Depends what your NFS server is. Basically, NFS utilizes RPC. RPC has brain damaged design, basically services will listen on randomly assigned ports, and portmapper service (port 111) will keep tabs on what is where. Basically, making contacting RPC based service is two step process. First the client connects to portmapper to find out on what port actauall RPC service is listening, and than it will connect to that port. This is absolutely incompatible with any non-trivial network that includes firewalls. I don't know what the folks that designed RPC were smoking when they designed things this way, but it must have been really bad stuff.
Not all is dark. RPC based services can request to be assigned static well known ports, but this is implementation dependant, and not all implementations utilize that feature. NFS implentation on Linux can be configured to use static well know ports, so that you can configure firewall rules to allow for NFS. However, if your NFS server is Solaris box, no such luck, some of the needed ports will always be dynamically assigned.
There's also RPC helper module for Netfilter. However this module is not standard part of Red Hat/Fedora/CeontOS kernels, you'd need to patch kernel source with Netfilter's patch-o-matic-ng. Reason? Probably still not stable enough for prime time. And myself personally never managed to get it working correctly. This module will be the ultimate solution for RPC nightmare, once it gets stable enough for inclusion into mainstream kernel.