On our slave NIS server we have in /etc/sysconfig/network I've set

YPSERV_ARGS="-p 944"
YPXFRD_ARGS="-p 945"

and OTHER_YPBIND_OPTS="-p 3000" in /etc/ypbind.conf and YPPASSWDD_ARGS="--port 946" in /etc/sysconfig/yppasswdd

But on the master server when running make -C /var/yp and debug enabled on firewalld the destination port (DPT) always changes. It's always UDP.

kernel: FINAL_REJECT: IN=eno3 OUT= MAC=00:0a:f7:e1:f8:6c:00:0a:f7:e1:d3:71:08:00 SRC=nis-slave DST=nis-master LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=59404 DF PROTO=UDP SPT=1003 DPT=676 LEN=56 

Also in the new /etc/nfs.conf we have:


And the logs in the slave server show: ypxfr_callback call: RPC: Unable to receive; errno = No route to host

Stopping firewalld and all is well. So what service is using UDP?

  • 390
  • 5
  • 15

2 Answers2


The ancient YP/NIS stuff is not at all firewall friendly. It literally predates the wide use of host firewalls. As you've noticed, it expects to be able to communicate on arbitrary ports. Most protocols from the last 20 years or so no longer do this, and run on predictable (or at least configurable) ports.

As a workaround, if you only have one IP address, though, you can just add it to the trusted zone in firewalld, and all traffic from that IP address will be allowed. (Sources can also be given by CIDR range or MAC address.)

 firewall-cmd --zone=trusted --add-source= [--permanent]
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940

agree with the NIS being ancient, don't use it if you do not have to.

For NFS here is an example I am taking from SLES 11.4 /etc/sysconfig/nfs Be aware things may be slightly different given the NFS version and linux distribution you are using. But the port numbers you need to open in your firewall are at least MOUNTD_PORT and SM_NOTIFY_OPTIONS and STATD_PORT and LOCKD_TCPPORT and LOCKD_UDPPORT in addition to the ports for the NFS service which is typically 111 and 2049 for both TCP and UDP.

for custom_number_1 to custom_number_4 use something above 1024, anything below 1024 is reserved for privilege services. You don't want to choose a number that conflicts with some other service obviously, the range 1024..9999 you can use but as personal preference i have mine set above 10,000. The range >= 49152 is believe is the dynamic range which i don't think you should choose; what happens if you don't configure NFS (tell it what to use) then it choose them dynamically and it would be some port number >= 49152 and would be different each time because it's dynamic... and why you would have problems because the firewall would be blocking all those ports and you would never know what they would be because of the NFS choosing them dynamically.

that dynamic choosing of port numbers, that you describe for NIS, same deal; the service was not fully configured so things that were left blank or default or chosen dynamically = different each time = no way to properly configure or use a firewall.

## Path:        Network/File systems/NFS server
## Description: number of threads for kernel nfs server
## Type:        integer
## Default:     4
## ServiceRestart:  nfsserver
# the kernel nfs-server supports multiple server threads

## Path:        Network/File systems/NFS server
## Description:     use fixed port number for mountd
## Type:        integer
## Default:     ""
## ServiceRestart:  nfsserver
#  Only set this if you want to start mountd on a fixed
#  port instead of the port assigned by rpc. Only for use
#  to export nfs-filesystems through firewalls.

## Path:                Network/File systems/NFS server
## Description:         GSS security for NFS
## Type:                yesno
## Default:             yes
## ServiceRestart:      nfs nfsserver
# Enable RPCSEC_GSS security for NFS (yes/no)

## Path:                Network/File systems/NFS server
## Description:         NFSv4 protocol support
## Type:                yesno
## Default:             yes
## ServiceRestart:      nfs nfsserver
# Enable NFSv4 support (yes/no)

## Path:                Network/File systems/NFS server
## Description:         NFSv4 server minor version
## Type:                integer
## Default:             0
## ServiceRestart:      nfsserver
# Select NFSv4 minor version for server to support (0, 1).
# If '1' is selected, both NFSv4.0 and NFSv4.1 will be supported.

## Path:                Network/File systems/NFS server
## Description:         Network Status Monitor options
## Type:                string
## Default:             ""
# If a fixed port should be used to send reboot notification
# messages to other systems, that port should be given
# here as "-p portnumber".
SM_NOTIFY_OPTIONS="-p custom_number_2"

## Path:                Network/File systems/NFS server
## Description:         Always start NFS services
## Type:                yesno
## Default:             no
## ServiceRestart       nfs
# Always start NFS services (gssd, idmapd), not only if
# there are nfs mounts in /etc/fstab.  This is likely to be
# needed if you use an automounter for NFS.

## Path:                Network/File systems/NFS server
## Description:         Port rpc.statd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
# Statd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.

## Path:                Network/File systems/NFS server
## Description:         Hostname used by rpc.statd
## Type:                string
## Default:             ""
## ServiceRestart:      nfsserver
# statd will normally use the system hostname in status
# monitoring conversations with other hosts.  If a different
# host name should be used, as can be useful with fail-over
# configurations, that name should be given here.

## Path:                Network/File systems/NFS server
## Description:     TCP Port that lockd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port.  This setting only affect
# the TCP port.

## Path:                Network/File systems/NFS server
## Description:     UDP Port that lockd should listen on
## Type:                integer
## Default:             ""
## ServiceRestart:      nfsserver
# Lockd will normally choose a random port to listen on and
# SuSE-Firewall is able to detect which port and allow for it.
# If you have another firewall, you may want to set a fixed
# port number which can then be opened in that firewall.
# lockd opens a UDP and a TCP port.  This setting only affect
# the UDP port.

## Path:                Network/File systems/NFS server
## Description:         Lease time for NFSv4 leases
## Type:                integer
## Default:             ""
# Set the lease time for the NFSv4 server.  This allows new locks
# to be taken sooner after a server restart, so it is useful for
# servers which need to recover quickly after a failure, particularly
# in fail-over configurations.  Reducing the lease time can be a
# problem is some clients connect over high latency networks.
# The default is 90 seconds.  A number like 15 might be appropriate
# in a fail-over configuration with all clients on well connected
# low latency links.

## Path:                Network/File systems/NFS server
## Description:         Alternate mount point for rpc_pipefs filesystem
## Type:                string
## Default:             ""
# In a high-availabilty configuration it is possible that /var/lib/nfs
# is redirected so some shared storage and so it is not convenient to
# mount the rpc_pipefs filesystem at /var/lib/nfs/rpc_pipefs.  In that
# case an alternate mount point can be given here.

## Path:                Network/File systems/NFS server
## Description:         Options for svcgssd
## Type:                string
## Default:             ""
# Normally svcgssd does not require any option.  However in a
# high-availabilty configuration it can be useful to pass "-n"
# to guide the choice of default credential.  To allow for that
# case or any other requiring options ot svcgssd, they can
# be specified here.

## Path:                Network/File systems/NFS server
## Description:         Extra options for nfsd
## Type:                string
## Default:             ""
# This setting allows extra options to be specified for NFSD, such as
# -H <shared_hostname> in a high-availability configuration.

## Path:                Network/File systems/NFS server
## Description:         Extra options for gssd
## Type:                string
## Default:             ""
# Normally gssd does not require any options.  In some circumstances,
# -n, -l or other options might be useful. See "man 8 rpc.gssd" for
# details.  Those options can be set here.

## Path:                Network/File systems/NFS server
## Description:         Extra options for mountd
## Type:                string
## Default:             ""
# Normally mountd does not require any options.  In some circumstances,
# -n, -t, -g or other options might be useful. See "man 8 rpc.mountd" for
# details.  Those options can be set here.
# -p or -N should be set using MOUNTD_PORT or NFS4_SUPPORT rather than
# this option.

## Path:                Network/File systems/NFS server
## Description:         Avoid DNS lookups for kerberos principal
## Type:                yesno
## Default:             no
## ServiceRestart:      gssd
# Avoid DNS lookups when determining kerberos identity
# of NFS server (yes/no)
# "yes" is safest, but "no" might be needed to preserve
# correct behaviour at sites that don't use
# Fully Qualified Domain Names when mounting NFS Shares.
  • 775
  • 3
  • 9
  • 19