在firewalld中,尝试查找用于NIS或者NFS服务的static 端口

分享于 

12分钟阅读

互联网

  繁體 雙語

问题:

在我们的/etc/sysconfig/network 服务器上,我们已经设置了


YPSERV_ARGS="-p 944"


YPXFRD_ARGS="-p 945"



/etc/ypbind.conf 中的OTHER_YPBIND_OPTS="-p 3000"/etc/sysconfig/yppasswdd 中的YPPASSWDD_ARGS="--port 946"

但是在主服务器上运行 make -C/var/yp 并在防火墙上启用调试时,目标端口( DPT ) 总是更改。 它始终是 UDP。


kernel: FINAL_REJECT: IN=eno3 OUT= MAC=00:0a:f7:e1:f8:6c:00:0a:f7:e1:d3:71:08:00 SRC=nis-slave DST=nis-master LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=59404 DF PROTO=UDP SPT=1003 DPT=676 LEN=56 



另外,在新 /etc/nfs.conf 中,我们有:


[lockd]


port=4002


udp-port=4002


[mountd]


port=4003


[nfsd]


port=2049


port=4001


outgoing-port=4004



从服务器中的日志显示: ypxfr_callback call: RPC: Unable to receive; errno = No route to host

阻止防火墙,全部正常。 那么什么服务正在使用 UDP?


回答 1:

古老的yp/nis内容不适合防火墙友好。 它早于主机防火墙的广泛使用。 你已经注意到,它希望能够在任意端口上进行通信。 最近 20年的大多数协议都不再这样做,并在可以预测的( 或者至少可以配置) 端口上运行。

尽管如这里,如果只有一个IP地址,就可以将它添加到防火墙中的trusted 区域,并允许。 ( 也可以通过CIDR范围或者MAC地址给出源。)


 firewall-cmd --zone=trusted --add-source=10.193.35.1 [--permanent]




回答 2:

同意NIS是古人的,如果你不需要的话,不要使用它。

以下例子说明了如何使用 /etc/sysconfig/nfs 11.4和你正在使用的linux发行版,这是我从SLES中获取的一个示例。 除了 MOUNTD_PORT 和UDP之外,在防火墙中打开的端口号至少是和 SM_NOTIFY_OPTIONSSTATD_PORTLOCKD_TCPPORTLOCKD_UDPPORT的端口,通常为 111和 2049.

例如为了让 custom_number_1 使用 1024上的内容,任何 1024以下的内容都被保留为特权服务的保留。 显然,你不想选择与其他服务冲突的数字,范围 1024.你可以使用但作为个人偏好,我的个人偏好设置在上面设置了2. range = 49152 is是动态范围,我认为你应该选择,如果你不配置 NFS ( 告诉它应该使用什么),如果你在每次配置NFS时都选择它,并且它将是不同的,因为它是动态的。 因为防火墙会阻塞所有端口,因这里你永远不会知道它们是由于NFS选择的。

动态选择a,相同的交易;服务没有被完全配置,或者不能正确地配置或者使用防火墙。


## Path: Network/File systems/NFS server


## Description: number of threads for kernel nfs server


## Type: integer


## Default: 4


## ServiceRestart: nfsserver


#


# the kernel nfs-server supports multiple server threads


#


USE_KERNEL_NFSD_NUMBER="4"



## Path: Network/File systems/NFS server


## Description: use fixed port number for mountd


## Type: integer


## Default:""


## ServiceRestart: nfsserver


#


# Only set this if you want to start mountd on a fixed


# port instead of the port assigned by rpc. Only for use


# to export nfs-filesystems through firewalls.


#


MOUNTD_PORT="custom_number_1"



## Path: Network/File systems/NFS server


## Description: GSS security for NFS


## Type: yesno


## Default: yes


## ServiceRestart: nfs nfsserver


#


# Enable RPCSEC_GSS security for NFS (yes/no)


#


NFS_SECURITY_GSS="no"



## Path: Network/File systems/NFS server


## Description: NFSv4 protocol support


## Type: yesno


## Default: yes


## ServiceRestart: nfs nfsserver


#


# Enable NFSv4 support (yes/no)


#


NFS4_SUPPORT="no"



## Path: Network/File systems/NFS server


## Description: NFSv4 server minor version


## Type: integer


## Default: 0


## ServiceRestart: nfsserver


#


# Select NFSv4 minor version for server to support (0, 1).


# If '1' is selected, both NFSv4.0 and NFSv4.1 will be supported.


NFS4_SERVER_MINOR_VERSION="0"



## Path: Network/File systems/NFS server


## Description: Network Status Monitor options


## Type: string


## Default:""


#


# If a fixed port should be used to send reboot notification


# messages to other systems, that port should be given


# here as"-p portnumber".


#


SM_NOTIFY_OPTIONS="-p custom_number_2"



## Path: Network/File systems/NFS server


## Description: Always start NFS services


## Type: yesno


## Default: no


## ServiceRestart nfs


#


# Always start NFS services (gssd, idmapd), not only if


# there are nfs mounts in/etc/fstab. This is likely to be


# needed if you use an automounter for NFS.


#


NFS_START_SERVICES=""



## Path: Network/File systems/NFS server


## Description: Port rpc.statd should listen on


## Type: integer


## Default:""


## ServiceRestart: nfsserver


#


# Statd will normally choose a random port to listen on and


# SuSE-Firewall is able to detect which port and allow for it.


# If you have another firewall, you may want to set a fixed


# port number which can then be opened in that firewall.


STATD_PORT="custom_number_3"



## Path: Network/File systems/NFS server


## Description: Hostname used by rpc.statd


## Type: string


## Default:""


## ServiceRestart: nfsserver


#


# statd will normally use the system hostname in status


# monitoring conversations with other hosts. If a different


# host name should be used, as can be useful with fail-over


# configurations, that name should be given here.


#


STATD_HOSTNAME=""



## Path: Network/File systems/NFS server


## Description: TCP Port that lockd should listen on


## Type: integer


## Default:""


## ServiceRestart: nfsserver


#


# Lockd will normally choose a random port to listen on and


# SuSE-Firewall is able to detect which port and allow for it.


# If you have another firewall, you may want to set a fixed


# port number which can then be opened in that firewall.


# lockd opens a UDP and a TCP port. This setting only affect


# the TCP port.


LOCKD_TCPPORT="custom_number_4"



## Path: Network/File systems/NFS server


## Description: UDP Port that lockd should listen on


## Type: integer


## Default:""


## ServiceRestart: nfsserver


#


# Lockd will normally choose a random port to listen on and


# SuSE-Firewall is able to detect which port and allow for it.


# If you have another firewall, you may want to set a fixed


# port number which can then be opened in that firewall.


# lockd opens a UDP and a TCP port. This setting only affect


# the UDP port.


LOCKD_UDPPORT="custom_number_4"



## Path: Network/File systems/NFS server


## Description: Lease time for NFSv4 leases


## Type: integer


## Default:""


#


# Set the lease time for the NFSv4 server. This allows new locks


# to be taken sooner after a server restart, so it is useful for


# servers which need to recover quickly after a failure, particularly


# in fail-over configurations. Reducing the lease time can be a


# problem is some clients connect over high latency networks.


# The default is 90 seconds. A number like 15 might be appropriate


# in a fail-over configuration with all clients on well connected


# low latency links.


NFSV4LEASETIME=""



## Path: Network/File systems/NFS server


## Description: Alternate mount point for rpc_pipefs filesystem


## Type: string


## Default:""


#


# In a high-availabilty configuration it is possible that/var/lib/nfs


# is redirected so some shared storage and so it is not convenient to


# mount the rpc_pipefs filesystem at/var/lib/nfs/rpc_pipefs. In that


# case an alternate mount point can be given here.


RPC_PIPEFS_DIR=""



## Path: Network/File systems/NFS server


## Description: Options for svcgssd


## Type: string


## Default:""


#


# Normally svcgssd does not require any option. However in a


# high-availabilty configuration it can be useful to pass"-n"


# to guide the choice of default credential. To allow for that


# case or any other requiring options ot svcgssd, they can


# be specified here.


SVCGSSD_OPTIONS=""



## Path: Network/File systems/NFS server


## Description: Extra options for nfsd


## Type: string


## Default:""


#


# This setting allows extra options to be specified for NFSD, such as


# -H <shared_hostname> in a high-availability configuration.


NFSD_OPTIONS=""



## Path: Network/File systems/NFS server


## Description: Extra options for gssd


## Type: string


## Default:""


#


# Normally gssd does not require any options. In some circumstances,


# -n, -l or other options might be useful. See"man 8 rpc.gssd" for


# details. Those options can be set here.


GSSD_OPTIONS=""



## Path: Network/File systems/NFS server


## Description: Extra options for mountd


## Type: string


## Default:""


#


# Normally mountd does not require any options. In some circumstances,


# -n, -t, -g or other options might be useful. See"man 8 rpc.mountd" for


# details. Those options can be set here.


# -p or -N should be set using MOUNTD_PORT or NFS4_SUPPORT rather than


# this option.


MOUNTD_OPTIONS=""



## Path: Network/File systems/NFS server


## Description: Avoid DNS lookups for kerberos principal


## Type: yesno


## Default: no


## ServiceRestart: gssd


#


# Avoid DNS lookups when determining kerberos identity


# of NFS server (yes/no)


#"yes" is safest, but"no" might be needed to preserve


# correct behaviour at sites that don't use


# Fully Qualified Domain Names when mounting NFS Shares.


#


NFS_GSSD_AVOID_DNS="no"





STA  服务  STAT  FIND  静态  防火墙  
相关文章