[OpenAFS] iptables and OpenAFS

Russ Allbery rra@stanford.edu
Fri, 26 Aug 2005 10:22:24 -0700

Ron Croonenberg <ronc@depauw.edu> writes:

> Im  trying to figure out what ports need to be open in iptables for
> running an OpenAFS client (and server).

> Only the ports 7000-7009 both udp and tcp need to be open, corrrect ?

> so that means I need:

> iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 7000:7009 -j ACCEPT

> and 

> iptables -I RH-Firewall-1-INPUT 1 -p udp --dport 7000:7009 -j ACCEPT

> and that should do the trick,  right ?

You don't need TCP.  You can also safely be more restrictive than that.

We use the following rules (note that this does not include the rules
needed for Kerberos):

# AFS responses
-A SUL -s -p udp -m udp --sport 7000:7007 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
-A SUL -s -p udp -m udp --dport 7001 -j ACCEPT 
-A SUL -s -p udp -m udp --dport 7001 -j ACCEPT 
-A SUL -s -p udp -m udp --dport 7001 -j ACCEPT 
-A SUL -s -p udp -m udp --dport 7001 -j ACCEPT 
-A SUL -s -p udp -m udp --dport 7000:7010 -m state --state ESTABLISHED -j ACCEPT 

It's not completely clear to me whether the last rule is required.

The reason for the separate 7001 rule is that this is the cache manager
callback port, and callbacks are often broken after long periods of
inactivity, long enough for iptables to forget ESTABLISHED status.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>