[OpenAFS] iptables and OpenAFS
Christopher Allen Wing
wingc@engin.umich.edu
Fri, 26 Aug 2005 18:29:11 -0400 (EDT)
Here, we just use a single rule to allow incoming traffic on UDP port 7001
for callbacks:
-A RH-Firewall-1-INPUT -p udp --dport 7001 -j ACCEPT
so that hosts can communicate with any AFS cell. (due to the callback
issue that Russ describes)
This is assuming a standard RHEL3/RHEL4/recent Fedora firewall config,
with a stateful filter rule such as:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
so that any connections that the host makes to a remote AFS server can
receive return traffic.
Indeed, if you do not have a general stateful filter rule enabled then
you'd have to add extra rules to allow the AFS traffic back in.
-Chris Wing
wingc@engin.umich.edu
Russ Allbery wrote:
> We use the following rules (note that this does not include the rules
> needed for Kerberos):
>
> AFS responses
> -A SUL -s 171.64.0.0/255.252.0.0 -p udp -m udp --sport 7000:7007 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> -A SUL -s 171.64.7.0/255.255.255.0 -p udp -m udp --dport 7001 -j ACCEPT
> -A SUL -s 171.64.14.0/255.255.255.0 -p udp -m udp --dport 7001 -j ACCEPT
> -A SUL -s 171.64.17.0/255.255.255.128 -p udp -m udp --dport 7001 -j ACCEPT
> -A SUL -s 171.67.16.0/255.255.252.0 -p udp -m udp --dport 7001 -j ACCEPT
> -A SUL -s 171.64.0.0/255.252.0.0 -p udp -m udp --dport 7000:7010 -m state --state ESTABLISHED -j ACCEPT