NFS and NIS Static Ports in Firewalld – How to Find

firewalldnfsnis

On our slave NIS server we have in /etc/sysconfig/network I've set

YPSERV_ARGS="-p 944"
YPXFRD_ARGS="-p 945"

and OTHER_YPBIND_OPTS="-p 3000" in /etc/ypbind.conf and YPPASSWDD_ARGS="--port 946" in /etc/sysconfig/yppasswdd

But on the master server when running make -C /var/yp and debug enabled on firewalld the destination port (DPT) always changes. It's always UDP.

kernel: FINAL_REJECT: IN=eno3 OUT= MAC=00:0a:f7:e1:f8:6c:00:0a:f7:e1:d3:71:08:00 SRC=nis-slave DST=nis-master LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=59404 DF PROTO=UDP SPT=1003 DPT=676 LEN=56

Also in the new /etc/nfs.conf we have:

[lockd]
port=4002
udp-port=4002
[mountd]
port=4003
[nfsd]
port=2049
port=4001
outgoing-port=4004

And the logs in the slave server show: ypxfr_callback call: RPC: Unable to receive; errno = No route to host

Stopping firewalld and all is well. So what service is using UDP?

Best Answer

The ancient YP/NIS stuff is not at all firewall friendly. It literally predates the wide use of host firewalls. As you've noticed, it expects to be able to communicate on arbitrary ports. Most protocols from the last 20 years or so no longer do this, and run on predictable (or at least configurable) ports.

As a workaround, if you only have one IP address, though, you can just add it to the trusted zone in firewalld, and all traffic from that IP address will be allowed. (Sources can also be given by CIDR range or MAC address.)

 firewall-cmd --zone=trusted --add-source=10.193.35.1 [--permanent]

Best Answer

Related Solutions

Linux – Specifying which UDP port NFS should use

Linux – NIS: which mechanism hides shadow.byname for unpriviledged users

Related Topic