[OpenAFS] AFS, IP-Filters, and NAT

Charles Clancy mgrtcc@cs.rose-hulman.edu
Sat, 7 Jul 2001 00:36:54 -0500 (EST)


I'm trying to configure a cluster of Sun machines behind a NAT
proxy/firewall using ip-filters.  They all run an AFS client that accesses
an AFS server off the NAT.

Here's basically what happens:
Node1 tries to connect:  node1 port 7001  -> server port 7000
NAT rewrites it:         proxy port 10001 -> server port 7000
Server reponds:          server port 7000 -> proxy port 10001
NAT rewrites it:         server port 7000 -> node1 port 7001

Everyone's happy, until the next time the client tries to access
something:

Node1 tries to connect:  node1 port 7001  -> server port 7000
NAT rewrites it:         proxy port 10002 -> server port 7000
Server reponds:          server port 7000 -> proxy port 10001
Proxy is unhappy:        ICMP Port Unreachable -> server

Why does the AFS server use the original source port, instead of the
source port of the packet it gets from the client?!?!

The problem with the ipf documentation is that it's a HOWTO, and only
covers certain scenarios.  I can't figure out the syntax to have it always
map node1 port 7001 to proxy port 10001.

Oh -- I'm running Transarc AFS 3.5 on the server.  Could this have been
fixed already in OpenAFS 1.0.4?  Is it actually a bug?

_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
sysadmin emeritus, RHIT Computer Science