[OpenAFS] AFS-Client behind masquerading firewall

Derek Atkins warlord@MIT.EDU
04 Jan 2001 17:20:46 -0500 

Sascha Silbe <sascha-ml-openafs-info@progbbs.staticky.com> writes:

> Sorry for the long delay, I was away for christmas and new year's eve.

Well, happy new year. :)

>  DA> AFS _does_ work behind a masquerading firewall provided that you set t=
> he=20
>  DA> UDP timeouts high enough to allow callbacks to occur.
> When do callbacks occur? Only within some time after a client request or
> anytime? On the same ports as the request or on a separate one?

Basically the cache manager opens port 7001 on the client and uses
that port to contact ports 7000-7008 on the AFS servers.  All output
from the client cache manager exits via UDP port 7001, and all
responses to the cache manager (including callbacks) return via UDP
port 7001.

Callbacks can pretty much occur at any time.  HOWEVER, the client
cache manager 'pings' each server periodically to make sure it is
still there.  This ping happens, IIRC, every 10 minutes.  So, if you
set a 15-minute UDP timeout, that should keep everything alive.

>  DA> I would recommend UDP timeouts in the range of 10-15 minutes.
> Thanks! I'll see if it helps. Strangely the OpenAFS client does not
> work at all currently. Perhaps I have to reboot the machine after
> stopping arla and before starting OpenAFS.

Maybe -- I've not tried arla, and I've never tried changing over from
one to the other.  Rebooting is always a good idea in such strange
situations ;)

>  DA> You should also note that AFS might "hiccup" when the IP address
>  DA> changes, at least until new callbacks can be set with the new IP.
> That's currently a big problem here, both with arla and OpenAFS. Even=20
> restarting the client does not help. :(

Perhaps you should find a better ISP -- one that gives you a more
stable IP Address?  Yea, if your IP Address changes, you probably
need to:
	1) stop AFS
	2) remove the AFS module
	3) restart AFS

It definitely wont work without step #2.  Just keep in mind that AFS
was not designed with NAT in mind (NAT is an abomination).  The fact
that it works across NAT is just luck.  AFS barely copes when your own
IP address changes, but at least the AFS client KNOWS when this change
happens.  The client cannot know when the NAT-box changes IP Address.

> CU/Lnx Sascha

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available