[OpenAFS] firewalling OpenAFS ports

Russ Allbery rra@stanford.edu
Thu, 16 Jun 2005 15:43:19 -0700


Jerome Asselin <asselinj@exchange.umontreal.ca> writes:

> Has anyone some iptables scripts to protect OpenAFS ports? I use the
> standard AFS authentication method (*not* kerberos). Below are the ports
> which are being used. I'm not sure which ones must be allowed to pass
> through.

Note that the following doesn't include buserver, as we don't use it.
You'll have to get information from others about that.

An AFS *client* needs to allow established UDP connections with a source
port of 7000-7007 to any non-restricted destination port.  You also want
to explicitly allow all UDP traffic with a destination port of 7001 from
your AFS file servers to any AFS client, since often callbacks last for
longer than the kernel definition of an "established" UDP connection.  If
you're running the kaserver, you also want to allow established UDP
traffic with a source port of 88 or 750 to any high-numbered port on the
client system.

Looking at our iptables rules, we also allow established UDP connections
to a destination port of 7000 through 7010 on clients; I think this is too
broad and probably not required.

For AFS *file servers*, you need to additionally allow UDP traffic to
ports 7000, 7005, and 7007 from any system that might be an AFS client.
You also need to allow connections from your master to upclient if you're
running upclient; unfortunately, it looks like upclient might pick a
random high-numbered port (?).

For AFS *database servers*, you need to allow UDP traffic to ports 7002,
7003, 7004, and 7007 from any AFS client.  If you're running the kaserver,
you also need to allow UDP traffic to ports 88 and 750.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>