Subject: | |
From: | |
Reply To: | |
Date: | Fri, 26 Oct 2007 08:21:38 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 25/10/07 22:05, Wayne Betts wrote:
> In the distant past, I used to add several ACCEPT rules for afs in
> ipchains or iptables when using openafs clients. But somewhere in time
> I stopped doing this (not conciously -- it just slipped my mind when
> making my checklist at some point), yet I've never noticed a problem
> while using the default iptables rules that end with a default REJECT in
> my SL installations. I've gotten a couple bits of different advice from
> individuals and the web (for instance: http://help.unc.edu/?id=5513 )
> indicating that I need firewall rules in place, but they don't all seem
> to quite match up and I'm not familiar enough with afs and/or kerberos
> communications to know what's really necessary.
>
> So, first the short question: should I be adding firewall rules when
> using SL 3/4/5 with the SL openafs-client packages?
>
> If yes, then a medium (?) question: what rules should I add?
If you are just collecting answers:
We open up port 7001/udp into the client, supposedly the AFS cache
manager sits there and will occasionally receive callbacks from the AFS
servers. Other communications should be handled by the default
"ESTABLISHED,RELATED" logic.
> Long (?) question: How can I demonstrate a failure if I don't have the
> firewall rules in place? A related question -- why haven't I noticed a
> problem before?
Just guessing (ask the Openafs gurus for details), but failure to
contact a client (cache) should trigger some timeout-based protocol to
establish who has the "correct" version, i.e. more overhead, and the
occasional lost update.
|
|
|