[OpenAFS] ISP blocking Krb4 traffic?

ted creedon tcreedon@easystreet.com
Thu, 22 Apr 2004 12:47:24 -0700

An ISP should not block any port.

I assume that you can recompile using other ports or use a socks proxy or
set up your own NAT settings using fwbuilder. (i.e. build your own firewall
and translate there) - that would be the quickest.


-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of John Hascall
Sent: Thursday, April 15, 2004 9:10 AM
To: Ryan Underwood
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] ISP blocking Krb4 traffic? 

> I've noticed recently that our ISP seems to be dropping outbound traffic
> with a destination port equal to 4444.  I think this is to circumvent
> some Windows worm that uses that port.  However, it has the side effect
> of completely neutering Kerberos 4 usage to an off-site realm, because
> traffic on port 4444 from the client to the krb4 KDC (or krb524) is
> dropped.

> Is anyone else experiencing this problem, and also are there any
> convenient workarounds for this?  What complete stupidity.

We have been able to convince some ISPs to block
only 4444/tcp and not 4444/udp.  Others have been
thicker-headed.  The only solution we have found
for our clients behind such boneheadedness is to
use a VPN (or switch ISPs).

It would be nice to be able to configure the 524 client
stuff to use a different port...

OpenAFS-info mailing list