NFS servers and firewalld

I haven't found a slam-dunk document on this, so let's start one. On a CentOS 7.1 host, I have gone through the linuxconfig HOW-TO , including the firewall-cmd entries, and I have an exportable filesystem. [root@ ~]# firewall-cmd --list-all internal (default, active) interfaces: enp5s0 sources: 192.168.10.0/24 services: dhcpv6-client ipp-client mdns ssh ports: 2049/tcp masquerade: no forward-ports: rich rules: [root@ ~]# showmount -e localhost Export list for localhost: /export/home/ *.localdomain However, if I showmount from the client, I still have a problem. [root@ ~]# showmount -e .localdomain clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host) Now, how am I sure that this is a firewall problem? Easy. Turn off the firewall. Server side: [root@ ~]# systemctl stop firewalld And client side: [root@ ~]# showmount -e .localdomain Export list for .localdomain: /export/home/ *.localdomain Restart firewalld. Server side: [root@ ~]# systemctl start firewalld And client side: [root@ ~]# showmount -e .localdomain clnt_create: RPC: Port mapper failure - Unable to receive: errno 113 (No route to host) So, let's go to town, by adapting the iptables commands from a RHEL 6 NFS server HOW-TO ... [root@ ~]# firewall-cmd \ > --add-port=111/tcp \ > --add-port=111/udp \ > --add-port=892/tcp \ > --add-port=892/udp \ > --add-port=875/tcp \ > --add-port=875/udp \ > --add-port=662/tcp \ > --add-port=662/udp \ > --add-port=32769/udp \ > --add-port=32803/tcp success [root@ ~]# firewall-cmd \ > --add-port=111/tcp \ > --add-port=111/udp \ > --add-port=892/tcp \ > --add-port=892/udp \ > --add-port=875/tcp \ > --add-port=875/udp \ > --add-port=662/tcp \ > --add-port=662/udp \ > --add-port=32769/udp \ > --add-port=32803/tcp \ > --permanent success [root@ ~]# firewall-cmd --list-all internal (default, active) interfaces: enp5s0 sources: 192.168.0.0/24 services: dhcpv6-client ipp-client mdns ssh ports: 32803/tcp 662/udp 662/tcp 111/udp 875/udp 32769/udp 875/tcp 892/udp 2049/tcp 892/tcp 111/tcp masquerade: no forward-ports: rich rules: This time, I get a slightly different error message from the client: [root@ ~]# showmount -e .localdomain rpc mount export: RPC: Unable to receive; errno = No route to host So, I know I'm on the right track. Having said that, why can't I find a definitive tutorial on this anywhere? I can't have been the first person to have to figure this out! What firewall-cmd entries am I missing? Oh, one other note. My /etc/sysconfig/nfs files on the CentOS 6 client and the CentOS 7 server are unmodified, so far. I would prefer to not have to change (and maintain!) them, if at all possible.