cancel
Showing results for 
Search instead for 
Did you mean: 

NFS ports HPUX 11.23

SOLVED
Go to solution
David Islas González_1
Frequent Advisor

NFS ports HPUX 11.23

Hi,

I'm getting troubles when configure nfs, I must use static ports cause between my server and some clients there is a firewall. I have alread read this doc:

http://docs.hp.com/en/B9901-90042/ch12s02.html

I've applied the recommended patch PHNE_38252, and added the next lines into the /etc/rc.config.d/nfsconf
STATD_PORT=65534
MOUNTD_PORT=65535
LOCKD_PORT=4045

after reboot the rpcinfo is correct:

uilnsx01:root> rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100024 1 udp 65534 status
100024 1 tcp 65534 status
100020 1 udp 4045 llockmgr
100020 1 tcp 4045 llockmgr
100021 1 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100021 1 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100021 4 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
390113 1 tcp 7937
100005 1 udp 65535 mountd
100005 3 udp 65535 mountd
100005 1 tcp 65535 mountd
100005 3 tcp 65535 mountd
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs

but the nfs service is still trying to use another ports, here the evidence on the firewall:

Feb 18 16:04:14 hnsqbkuprtb03 8463265: .Feb 18 16:04:13 EST: %SEC-6-IPACCESSLOGP: list 2000 DENIED udp 172.22.15.14(625) -> 172.22.4.89(65535), 1 packet
Feb 18 16:04:14 hnsqbkuprtb03 8463263: .Feb 18 16:04:13 EST: %SEC-6-IPACCESSLOGP: list 2000 PERMITED udp 172.22.15.12(54007) -> 172.22.4.89(65535), 1 packet
Feb 18 16:04:14 hnsqbkuprtb03 8463261: .Feb 18 16:04:13 EST: %SEC-6-IPACCESSLOGP: list 2000 DENIED udp 172.22.15.12(846) -> 172.22.4.89(65535), 1 packet

where 172.22.4.89 is the server, and the other ip addresses are the clients

I appreciate any suggestion.
10 REPLIES
RAC_1
Honored Contributor

Re: NFS ports HPUX 11.23

I dont know, but is there client config too? for setting ports?
There is no substitute to HARDWORK
Dave Olker
HPE Pro

Re: NFS ports HPUX 11.23

Hi David,

I have no idea what firewall you're using or what firewall rules you've established. All I can do is make a guess based on what you said works and what fails:

DENIED udp 172.22.15.14(625) -> 172.22.4.89(65535)
>>>> PERMITED udp 172.22.15.12(54007) -> 172.22.4.89(65535)
DENIED udp 172.22.15.12(846) -> 172.22.4.89(65535)

It denied inbound packets to port 65535 that originated from remote ports in the reserved port range (625 and 846). It allowed an inbound packet to port 65535 that originated from a remote port in the anonymous range (54007).

Are you sure you don't have a firewall rule about allowing or denying packets from the reserved port range?

Regards,

Dave
David Islas González_1
Frequent Advisor

Re: NFS ports HPUX 11.23

Yes, this port config is for both server and client. Forgot to say that there is a rule into the firewall that can not allow ports below 1023 that's the DENIED log. But why if I specified the ports to use is still generating packets in different ports??
Regards
Dave Olker
HPE Pro
Solution

Re: NFS ports HPUX 11.23

> But why if I specified the ports to use is
> still generating packets in different ports??

All you're configuring with the static port number enhancement is the port number that the server daemons will listen on. You have no control over the port numbers used on the remote NFS client systems contacting these daemons.

If you DENY access from reserved ports to these daemons you will likely never get NFS to work because most NFS client implementations use reserved ports either when mounting, locking, or accessing NFS files.

Dave
David Islas González_1
Frequent Advisor

Re: NFS ports HPUX 11.23

Hi Dave, just for understanding what you have just told me. I can not specify a range of ports that the client must use, right??
T G Manikandan
Honored Contributor

Re: NFS ports HPUX 11.23

Some of the daemons involved in sharing data via nfs are already bound to a port. portmap is always on port 111 tcp and udp. nfsd is always on port 2049 TCP and UDP

The other daemons, statd, mountd, lockd, and rquotad, will normally move around to the first available port they are informed of by the portmapper.
As Dave suggested,you always will not have control on the clients port numbers during communication.


If I were you, I would give a try by setting port numbers for statd and lockd , the daemons which are to be running on the nfs client.

Dave Olker
HPE Pro

Re: NFS ports HPUX 11.23

> I can not specify a range of ports that the client must use, right??

No.

You can specify the port numbers that lockd, statd, mountd will *listen for requests on*, just as you have with the server side, but you cannot control which port numbers the actual lock/mount/nfs requests will come from. Those are typically assigned randomly from either the reserved pool (for some operations) or the anonymous pool (for some operations). I know of no way to configure specific ports for these requests.

Dave
David Islas González_1
Frequent Advisor

Re: NFS ports HPUX 11.23

Mmmmh, OK, does anybody knows if exists an alternative for this?? I strongly need the NFS because this is my ignite server and I have clients on both subnets.
T G Manikandan
Honored Contributor

Re: NFS ports HPUX 11.23

It is normally that ports below 1023 which is blocked with the servers.

I dont see any issue opening up client ports > 1023.

The option is to use tape drive on each client and perform ignite operations locally.
David Islas González_1
Frequent Advisor

Re: NFS ports HPUX 11.23

In fact ports over 1024 are open, but the NFS service is still trying to go below 1024. Adding a tape is not an option as I have too many servers. :(