Wayne Betts wrote:
> In the distant past, I used to add several ACCEPT rules for afs in 
> ipchains or iptables when using openafs clients.  But somewhere in time 
> I stopped doing this (not conciously -- it just slipped my mind when 
> making my checklist at some point), yet I've never noticed a problem 
> while using the default iptables rules that end with a default REJECT in 
> my SL installations.  I've gotten a couple bits of different advice from 
> individuals and the web (for instance: http://help.unc.edu/?id=5513 ) 
> indicating that I need firewall rules in place, but they don't all seem 
> to quite match up and I'm not familiar enough with afs and/or kerberos 
> communications to know what's really necessary.
> 
> So, first the short question:  should I be adding firewall rules when 
> using SL 3/4/5 with the SL openafs-client packages?
> 

This is my experience.
SL3 - poke some holes, we never really got it working right, so we tended to 
leave the firewall off and make sure everything else was turned off.
SL4 - Just worked with the default setting, we didn't have to poke any holes 
for afs.
SL5 - Same as 4, we didn't have to do anything to the default firewall settings.

How did we test?
For SLF 4x, we first tried it on one machine, saw that we thought it worked, 
then pushed it out to more testers, nobody noticed any problems.  So, from the 
beginning SLF 4x had the firewall one with the default settings.  Although 
users occasionally have AFS problems, none of them have been with the firewall.
SLF 5x has had the default firewall on from the begining as well.  Most of our 
AFS bugs are dealing with automatically getting your AFS token, but no problems 
with the firewall.

Troy

-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________