John Hinton wrote:> If I run
>
> showmount -e <my_server_ip>
>
> from the client, with the firewall set to on on the server, I get
>
> rpc mount export: RPC: Unable to receive; errno = No route to host
>
> If I turn it off, I can connect.
>
> So far, I have 111 and 2049 tcp and udp open and 4002 udp open.
>
> Anybody know what I'm missing?
Depends what your NFS server is. Basically, NFS utilizes RPC. RPC has
brain damaged design, basically services will listen on randomly
assigned ports, and portmapper service (port 111) will keep tabs on what
is where. Basically, making contacting RPC based service is two step
process. First the client connects to portmapper to find out on what
port actauall RPC service is listening, and than it will connect to that
port. This is absolutely incompatible with any non-trivial network that
includes firewalls. I don't know what the folks that designed RPC were
smoking when they designed things this way, but it must have been really
bad stuff.
Not all is dark. RPC based services can request to be assigned static
well known ports, but this is implementation dependant, and not all
implementations utilize that feature. NFS implentation on Linux can be
configured to use static well know ports, so that you can configure
firewall rules to allow for NFS. However, if your NFS server is Solaris
box, no such luck, some of the needed ports will always be dynamically
assigned.
There's also RPC helper module for Netfilter. However this module is
not standard part of Red Hat/Fedora/CeontOS kernels, you'd need to patch
kernel source with Netfilter's patch-o-matic-ng. Reason? Probably
still not stable enough for prime time. And myself personally never
managed to get it working correctly. This module will be the ultimate
solution for RPC nightmare, once it gets stable enough for inclusion
into mainstream kernel.