# NFS server refuses to connect



## roberc (Mar 13, 2018)

Hi all!

I have few FreeBSD boxes and they are connected via NFS.
They are not on the same network.
Four of them connects easy and quietly.
Two another does not.

After some time (timeout) I have this timeout message:

```
[tcp] server:/path: RPCPROG_NFS: RPC: Port mapper failure - RPC: Timed out
```
the same if I execute

```
showmount -e server
```

If I try to execute 

```
service nfsclient restart
```

I'm getting these answers (pretty fast):

```
rpc.umntall: server: MOUNTPROG: RPC: Port mapper failure - RPC: Timed out
rpc.umntall: server: MOUNTPROG: RPC: Port mapper failure - RPC: Timed out
```

Any ideas?
Where I should dig?

p.s.
One of boxes (which doesn't connects) was working nice without any complaints, but I had to change some hardware, so it was restarted. After that it refused to connect.
Provider denies any limitations - Linux box connects smoothly


----------



## SirDice (Mar 14, 2018)

Some firewall blocking traffic between the clients and the server? Restrictions in /etc/exports somebody forgot to correct?


----------



## roberc (Mar 14, 2018)

SirDice said:


> Some firewall blocking traffic between the clients and the server? Restrictions in /etc/exports somebody forgot to correct?


Nothing - everything is clean.
Firewall is disabled on BSD, exports file is the same as it was before reboot 
The linux box (from the same network as unconnectable BSD) can connect easy, only BSD box is stuck.


----------



## SirDice (Mar 14, 2018)

What does `rpcinfo -p server` output?


----------



## gkontos (Mar 14, 2018)

You mentioned that they are not on the same network, which is the NFS server, the Linux Box or the FreeBSD box? Do you have access to the firewall of the NFS server? 

Can you ping the NFS server?


----------



## roberc (Mar 14, 2018)

```
rpcinfo -s server
program version(s) netid(s)                         service     owner
    100000  2,3,4     local,udp6,tcp6,udp,tcp          rpcbind     superuser
    100024  1         tcp,udp,tcp6,udp6                status      superuser
    100003  3,2       tcp6,tcp,udp6,udp                nfs         superuser
    100005  3,1       tcp,udp,tcp6,udp6                mountd      superuser
```

and, of course, it can be pinged 

I enabled NFSv4, too, in case if it will work. But - no luck


----------



## SirDice (Mar 14, 2018)

Are you running that command on the NFS server or the client?


----------



## roberc (Mar 14, 2018)

SirDice said:


> Are you running that command on the NFS server or the client?


Client


----------



## SirDice (Mar 14, 2018)

Ok, that means the client can access the server's port 111 for RPC, that's important. If that doesn't work NFS certainly isn't going to work. The showmount(8) command simply times out? No other output? If that's the case I'm still considering a firewall, somewhere between the client's network and the server's network. Especially if the server and clients are on different networks.


----------



## roberc (Mar 15, 2018)

SirDice said:


> Ok, that means the client can access the server's port 111 for RPC, that's important. If that doesn't work NFS certainly isn't going to work. The showmount(8) command simply times out? No other output? If that's the case I'm still considering a firewall, somewhere between the client's network and the server's network. Especially if the server and clients are on different networks.



I was thinking about it. So there's the firewall script which runs on the client:

```
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 500"
pif="em0"
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
$cmd 005 allow all from any to any via re0  # exclude LAN traffic
$cmd 010 allow all from any to any via lo0  # exclude loopback traffic

${cmd} 42 allow tcp from any to me 22 in via ${pif}
${cmd} 43 allow tcp from me 22 to any out via ${pif}

$cmd 100 divert natd ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state

# Authorized outbound packets
$cmd 120 $skip udp from any to any 53 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks

#$cmd 499 deny log all from any to any

$cmd 500 divert 8668 all from 192.168.3.0/24 to any via $pif
$cmd 501 divert 8668 all from any to me via $pif

#$cmd 500 divert natd ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 510 allow ip from any to any
```

simple nat I found on the net two years ago. But nfs didn't work with disabled firewall either.

I've added nfs ports to the line good_tcpo="22,25,37,53,80,443,110" with no luck.

Maybe you can tell which port is used to query the server to work with showmount? I could reroute these ports to make it work.

showmount shows:

```
RPC: Port mapper failure
showmount: can't do exports rpc
```


----------



## SirDice (Mar 15, 2018)

This might be useful: https://www.area536.com/projects/firewall-rules-for-nfs-file-sharing/


----------



## roberc (Mar 15, 2018)

Alright, thank you very much, sir, for your time.
I'll try to trick all firewalls in my path


----------

