主页 / server / 问题 / 949040
Accepted
RobbieTheK
Asked: 2019-01-15 12:54:45 +0800 CST

试图在 firewalld 中查找 NIS 或 NFS 服务的静态端口

  • 772

在我们的从 NIS 服务器上,我们/etc/sysconfig/network已经设置了

YPSERV_ARGS="-p 944"
YPXFRD_ARGS="-p 945"

OTHER_YPBIND_OPTS="-p 3000"/etc/ypbind.conf里面_ YPPASSWDD_ARGS="--port 946"_ /etc/sysconfig/yppasswdd

但是在主服务器上,当make -C /var/yp在 firewalld 上运行和调试启用时,目标端口 (DPT) 总是会发生变化。它总是UDP。

kernel: FINAL_REJECT: IN=eno3 OUT= MAC=00:0a:f7:e1:f8:6c:00:0a:f7:e1:d3:71:08:00 SRC=nis-slave DST=nis-master LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=59404 DF PROTO=UDP SPT=1003 DPT=676 LEN=56

同样在新的/etc/nfs.conf我们有:

[lockd]
port=4002
udp-port=4002
[mountd]
port=4003
[nfsd]
port=2049
port=4001
outgoing-port=4004

从服务器中的日志显示:ypxfr_callback call: RPC: Unable to receive; errno = No route to host

停止firewalld,一切都很好。那么什么服务在使用UDP呢?

nfs

2 个回答

  1. Best Answer

    古老的 YP/NIS 对防火墙一点也不友好。它实际上早于主机防火墙的广泛使用。正如您所注意到的,它希望能够在任意端口上进行通信。过去 20 年左右的大多数协议不再这样做,而是在可预测(或至少可配置)的端口上运行。

    作为一种解决方法,如果您只有一个 IP 地址,您只需将其添加到trustedfirewalld 中的区域,所有来自该 IP 地址的流量都将被允许。(来源也可以通过 CIDR 范围或 MAC 地址给出。)

     firewall-cmd --zone=trusted --add-source=10.193.35.1 [--permanent]
    • 2

  2. 同意NIS是古老的,如果没有必要就不要使用它。

    对于NFS,这里是我从 SLES 11.4 中获取的一个示例。/etc/sysconfig/nfs 请注意,鉴于您使用的 NFS 版本和 linux 发行版,情况可能会略有不同。但是您需要在防火墙中打开的端口号至少是MOUNTD_PORTand SM_NOTIFY_OPTIONSand STATD_PORTand andLOCKD_TCPPORT以及LOCKD_UDPPORTNFS 服务的端口(对于 TCP 和 UDP 通常是 111 和 2049)。

    为了custom_number_1使用custom_number_4高于 1024 的值,低于 1024 的任何值都保留用于特权服务。您不想选择与其他服务明显冲突的数字,您可以使用范围 1024..9999,但作为个人喜好,我将我的设置设置为 10,000 以上。范围 >= 49152 是我认为您不应该选择的动态范围;如果您不配置 NFS(告诉它要使用什么)会发生什么情况,然后它会动态选择它们,它将是一些端口号 >= 49152 并且每次都会有所不同,因为它是动态的......以及为什么你会遇到问题,因为防火墙将阻止所有这些端口,并且您永远不会知道它们会是什么,因为 NFS 会动态选择它们。

    您为 NIS 描述的端口号的动态选择,同样的处理;该服务未完全配置,因此保留为空白或默认或动态选择的内容=每次都不同=无法正确配置或使用防火墙。

    ## Path:        Network/File systems/NFS server
## Description: number of threads for kernel nfs server
## Type:        integer
## Default:     4
## ServiceRestart:  nfsserver
#
# the kernel nfs-server supports multiple server threads
#
USE_KERNEL_NFSD_NUMBER="4"

## Path:        Network/File systems/NFS server
## Description:     use fixed port number for mountd
## Type:        integer
## Default:     ""
## ServiceRestart:  nfsserver
#
#  Only set this if you want to start mountd on a fixed
#  port instead of the port assigned by rpc. Only for use
#  to export nfs-filesystems through firewalls.
#
MOUNTD_PORT="custom_number_1"

## Path:                Network/File systems/NFS server
## Description:         GSS security for NFS
## Type:                yesno
## Default:             yes
## ServiceRestart:      nfs nfsserver
#
# Enable RPCSEC_GSS security for NFS (yes/no)
#
NFS_SECURITY_GSS="no"

## Path:                Network/File systems/NFS server
## Description:         NFSv4 protocol support
## Type:                yesno
## Default:             yes
## ServiceRestart:      nfs nfsserver
#
# Enable NFSv4 support (yes/no)
#
NFS4_SUPPORT="no"

## Path:                Network/File systems/NFS server
## Description:         NFSv4 server minor version
## Type:                integer
## Default:             0
## ServiceRestart:      nfsserver
#
# Select NFSv4 minor version for server to support (0, 1).
# If '1' is selected, both NFSv4.0 and NFSv4.1 will be supported.
NFS4_SERVER_MINOR_VERSION="0"

## Path:                Network/File systems/NFS server
## Description:         Network Status Monitor options
## Type:                string
## Default:             ""
#
# If a fixed port should be used to send reboot notification
# messages to other systems, that port should be given
# here as "-p portnumber".
#
SM_NOTIFY_OPTIONS="-p custom_number_2"

## Path:                Network/File systems/NFS server
## Description:         Always start NFS services
## Type:                yesno
## Default:             no
## ServiceRestart       nfs
#
# Always start NFS services (gssd, idmapd), not only if
# there are nfs mounts in /etc/fstab.  This is likely to be
# needed if you use an automounter for NFS.
#
NFS_START_SERVICES=""

## Path:                Network/File systems/NFS server
## Description:         Port rpc.statd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
#
# Statd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
STATD_PORT="custom_number_3"

## Path:                Network/File systems/NFS server
## Description:         Hostname used by rpc.statd
## Type:                string
## Default:             ""
## ServiceRestart:      nfsserver
#
# statd will normally use the system hostname in status
# monitoring conversations with other hosts.  If a different
# host name should be used, as can be useful with fail-over
# configurations, that name should be given here.
#
STATD_HOSTNAME=""

## Path:                Network/File systems/NFS server
## Description:     TCP Port that lockd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
#
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port.  This setting only affect
# the TCP port.
LOCKD_TCPPORT="custom_number_4"

## Path:                Network/File systems/NFS server
## Description:     UDP Port that lockd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
#
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port.  This setting only affect
# the UDP port.
LOCKD_UDPPORT="custom_number_4"

## Path:                Network/File systems/NFS server
## Description:         Lease time for NFSv4 leases
## Type:                integer
## Default:             ""
#
# Set the lease time for the NFSv4 server.  This allows new locks
# to be taken sooner after a server restart, so it is useful for
# servers which need to recover quickly after a failure, particularly
# in fail-over configurations.  Reducing the lease time can be a
# problem is some clients connect over high latency networks.
# The default is 90 seconds.  A number like 15 might be appropriate
# in a fail-over configuration with all clients on well connected
# low latency links.
NFSV4LEASETIME=""

## Path:                Network/File systems/NFS server
## Description:         Alternate mount point for rpc_pipefs filesystem
## Type:                string
## Default:             ""
#
# In a high-availabilty configuration it is possible that /var/lib/nfs
# is redirected so some shared storage and so it is not convenient to
# mount the rpc_pipefs filesystem at /var/lib/nfs/rpc_pipefs.  In that
# case an alternate mount point can be given here.
RPC_PIPEFS_DIR=""

## Path:                Network/File systems/NFS server
## Description:         Options for svcgssd
## Type:                string
## Default:             ""
#
# Normally svcgssd does not require any option.  However in a
# high-availabilty configuration it can be useful to pass "-n"
# to guide the choice of default credential.  To allow for that
# case or any other requiring options ot svcgssd, they can
# be specified here.
SVCGSSD_OPTIONS=""

## Path:                Network/File systems/NFS server
## Description:         Extra options for nfsd
## Type:                string
## Default:             ""
#
# This setting allows extra options to be specified for NFSD, such as
# -H <shared_hostname> in a high-availability configuration.
NFSD_OPTIONS=""

## Path:                Network/File systems/NFS server
## Description:         Extra options for gssd
## Type:                string
## Default:             ""
#
# Normally gssd does not require any options.  In some circumstances,
# -n, -l or other options might be useful. See "man 8 rpc.gssd" for
# details.  Those options can be set here.
GSSD_OPTIONS=""

## Path:                Network/File systems/NFS server
## Description:         Extra options for mountd
## Type:                string
## Default:             ""
#
# Normally mountd does not require any options.  In some circumstances,
# -n, -t, -g or other options might be useful. See "man 8 rpc.mountd" for
# details.  Those options can be set here.
# -p or -N should be set using MOUNTD_PORT or NFS4_SUPPORT rather than
# this option.
MOUNTD_OPTIONS=""

## Path:                Network/File systems/NFS server
## Description:         Avoid DNS lookups for kerberos principal
## Type:                yesno
## Default:             no
## ServiceRestart:      gssd
#
# Avoid DNS lookups when determining kerberos identity
# of NFS server (yes/no)
# "yes" is safest, but "no" might be needed to preserve
# correct behaviour at sites that don't use
# Fully Qualified Domain Names when mounting NFS Shares.
#
NFS_GSSD_AVOID_DNS="no"
    • 1

相关问题