On our slave NIS server we have in
/etc/sysconfig/network I’ve set
YPSERV_ARGS="-p 944" YPXFRD_ARGS="-p 945"
OTHER_YPBIND_OPTS="-p 3000" in
YPPASSWDD_ARGS="--port 946" in
But on the master server when running
make -C /var/yp and debug enabled on firewalld the destination port (DPT) always changes. It’s always UDP.
kernel: FINAL_REJECT: IN=eno3 OUT= MAC=00:0a:f7:e1:f8:6c:00:0a:f7:e1:d3:71:08:00 SRC=nis-slave DST=nis-master LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=59404 DF PROTO=UDP SPT=1003 DPT=676 LEN=56
Also in the new
/etc/nfs.conf we have:
[lockd] port=4002 udp-port=4002 [mountd] port=4003 [nfsd] port=2049 port=4001 outgoing-port=4004
And the logs in the slave server show:
ypxfr_callback call: RPC: Unable to receive; errno = No route to host
Stopping firewalld and all is well. So what service is using UDP?
The ancient YP/NIS stuff is not at all firewall friendly. It literally predates the wide use of host firewalls. As you’ve noticed, it expects to be able to communicate on arbitrary ports. Most protocols from the last 20 years or so no longer do this, and run on predictable (or at least configurable) ports.
As a workaround, if you only have one IP address, though, you can just add it to the
trusted zone in firewalld, and all traffic from that IP address will be allowed. (Sources can also be given by CIDR range or MAC address.)
firewall-cmd --zone=trusted --add-source=10.193.35.1 [--permanent]
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.