Score:0

Server

Trouble mounting an NFS mount-point on a firewall system which works perfectly on other internal systems: How do I find the cause?

Richard T

10/5/23, 10:38 PM

This is on Fedora Core 35: This environment is mature and has a few systems that are called either firewalls or gateways, and for the first time, we want to do an NFS share to one of these systems.

After having trouble with the mount on the client, I proved the server's config is fine by doing an identical mount on a different internal system using copy-paste of the /etc/fstab entry. I figured it had to be a firewall issue, so I changed the interface to be in the "trusted" zone. And yet I still get:

mount.nfs: access denied by server while mounting 192.168.1.1:/fu

So, I did some research and figured out to do:

rpcdebug -m nfsd -s all

But I get nothing related to the mount in question - in fact NOTHING goes into /var/log/messages ... isn't that where I'm supposed to look?! (Other nfs related items are going there, but not this mount.)

So, I tried our backup server and got the same (null) result. And I also tried changing from using the hostname and using the IP address on the client - same results either way, nothing but what I've reported.)

1448

2 + 0

nfs

fedora

mount

firewalld

Score:0

Server

drookie

10/6/23, 9:42 AM

The line

mount.nfs: access denied by server while mounting 192.168.1.1:/fu

clearly indicates that the NFS server (to be precise - mountd) denied the mount request for the client. Most probably this happened due to the fact that the client IP was not mentioned in the exports file on the server.

I suppose you review it one more time.

+ 2

Richard T

10/6/23, 9:27 PM

Unfortunately, that's not the problem. I checked. No only are the names used in /etc/hosts, you can ping with them, but I also added their ip addresses, just to be sure. The problem persists! But thanks for trying! Other ideas?

Richard T

10/6/23, 10:24 PM

I found it and provided an answer. ... if you like my answer, please give it a vote! Thanks for your attention to this problem.

Score:0

Server

Richard T

10/6/23, 10:23 PM

I figured it out.

Apparently, the export function stops reading the /etc/export file on any error. The exports that have been read in already and are "valid" are exported, however, any further exports that may be in the file are ignored because processing stops.

Unfortunately, such errors are NOT logged in /var/log/messages (the system error log file) by nfs. So far as I have discovered to date, the ONLY place these errors are reported is by running:

exportfs -a

In this case, most of my entries began with "rw", a few "ro" and the error that caused all this was one that was just "r". Oops! That's where the exporting stopped.

Also worthy of attention are these additional tools that helped me find the problem:

As already noted in the question, here for making a thorough answer, this sends "all" errors to the system log file (/var/log/messages):

rpcdebug -m nfsd -s all

Again,NOT ALL ERRORS ACTUALLY CAN GO HERE, as already noted about /etc/export errors.

List all current exports possible: From a server:

exportfs

From a client:

showmount -e <host>

Note that showmount is a DANGEROUS possible security hole because it can let clients easily know what a server can do and thus about other systems. So in a case like this one, where it's a "firewall / gateway" machine, make sure ONLY root can run it!

And, finally, you can also get a network dump:

tcpdump -s0 -i <interface> host <host_ip> -w <file>

I don't have a good pointer for how to interpret said dump, but you can run strings on it to at least confirm you got the right packets.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Trouble mounting an NFS mount-point on a firewall system which works perfectly on other internal systems: How do I find the cause?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.