Bug 11548 - autofs and the firewall do not work together.
Summary: autofs and the firewall do not work together.
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 3
Hardware: x86_64 Linux
Priority: Normal minor
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-27 20:52 CET by Xuo
Modified: 2015-03-31 16:03 CEST (History)
0 users

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Xuo 2013-10-27 20:52:47 CET 
Description of problem:

My nfs server exports /home
exportfs => /home           192.168.0.0/8

On the client side, it is possible to mount the /home directory

 mount -t nfs server:/home /myClientMountPoint

 => works without any problem, even though the firewall on the server is enabled or not.

On the client side, the autofs service is enabled. 
The auto.master file is the following :
/net                    /etc/autofs/auto.net            --timeout=10 --ghost

If the firewall on the server side  is not enabled, I can do anything :
ls -las /net/server/home works.

If the  firewall on the server side  is enabled, then nothing happens.
The following ports are open :

cat /etc/ifw/rules

. /etc/ifw/rules.d/psd
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 111 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 2049 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 4002 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 4001 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 4003 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 4004 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 137 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 138 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 139 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 445 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp -m multiport --dport 1024:1100 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 5353 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 427 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 662 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 892 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 32803 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 662 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 892 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 32803 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p udp --dport 32769 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 25 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 465 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 111 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 2049 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 4002 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 4001 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 4003 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 4004 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 137 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 138 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 139 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 445 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp -m multiport --dport 1024:1100 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp -m multiport --dport 6881:6999 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 662 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 892 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 32803 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 662 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 892 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 32803 -j IFWLOG --log-prefix NEW
iptables -A Ifw -m conntrack --ctstate NEW -p tcp --dport 32769 -j IFWLOG --log-prefix NEW

I don't modify this file myself. I use drakfirewall.

Regards.

Xuo.

Reproducible: 

Steps to Reproduce:
Comment 1 Marja Van Waes 2015-03-31 16:03:09 CEST 
Mageia 3 changed to end-of-life (EOL) status 4 months ago.
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/ 

Mageia 3 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of Mageia
please feel free to click on "Version" change it against that version of Mageia
and reopen this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--
The Mageia Bugsquad

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.