[OpenAFS] AFS, IP-Filters, and NAT

Derek Atkins warlord@MIT.EDU
07 Jul 2001 10:12:49 -0400 

No, servers cache the ip/port for each client they see.  It also
assumes that a client will not change ip/port mid-session.

You do not need to map ports directly.  Just change your UDP timeout
so that UDP ports originating inside the NAT from port 7001 have NO
timeout.  That way the NAT box will always remember the mapping for
those ports.  Alternatively, you can set the UDP timeout to something
large, like 30 minutes.  That should assure that the mapping is kept
alive.

-derek

Charles Clancy <mgrtcc@cs.rose-hulman.edu> writes:

> I'm trying to configure a cluster of Sun machines behind a NAT
> proxy/firewall using ip-filters.  They all run an AFS client that accesses
> an AFS server off the NAT.
> 
> Here's basically what happens:
> Node1 tries to connect:  node1 port 7001  -> server port 7000
> NAT rewrites it:         proxy port 10001 -> server port 7000
> Server reponds:          server port 7000 -> proxy port 10001
> NAT rewrites it:         server port 7000 -> node1 port 7001
> 
> Everyone's happy, until the next time the client tries to access
> something:
> 
> Node1 tries to connect:  node1 port 7001  -> server port 7000
> NAT rewrites it:         proxy port 10002 -> server port 7000
> Server reponds:          server port 7000 -> proxy port 10001
> Proxy is unhappy:        ICMP Port Unreachable -> server
> 
> Why does the AFS server use the original source port, instead of the
> source port of the packet it gets from the client?!?!
> 
> The problem with the ipf documentation is that it's a HOWTO, and only
> covers certain scenarios.  I can't figure out the syntax to have it always
> map node1 port 7001 to proxy port 10001.
> 
> Oh -- I'm running Transarc AFS 3.5 on the server.  Could this have been
> fixed already in OpenAFS 1.0.4?  Is it actually a bug?
> 
> _________________________________________
> Charles Clancy, mgrtcc@cs.rose-hulman.edu
> sysadmin emeritus, RHIT Computer Science
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available