[OpenAFS] firewalling OpenAFS ports
Thu, 16 Jun 2005 21:47:12 -0400
O Thu, Jun 16, 2005 at 03:43:19PM -0700, Russ Allbery wrote:
> Jerome Asselin <firstname.lastname@example.org> writes:
> > Has anyone some iptables scripts to protect OpenAFS ports? I use the
> > standard AFS authentication method (*not* kerberos). Below are the ports
> > which are being used. I'm not sure which ones must be allowed to pass
> > through.
> Note that the following doesn't include buserver, as we don't use it.
> You'll have to get information from others about that.
> An AFS *client* needs to allow established UDP connections with a source
> port of 7000-7007 to any non-restricted destination port. You also want
> to explicitly allow all UDP traffic with a destination port of 7001 from
> your AFS file servers to any AFS client, since often callbacks last for
> longer than the kernel definition of an "established" UDP connection. If
> you're running the kaserver, you also want to allow established UDP
> traffic with a source port of 88 or 750 to any high-numbered port on the
> client system.
> Looking at our iptables rules, we also allow established UDP connections
> to a destination port of 7000 through 7010 on clients; I think this is too
> broad and probably not required.
> For AFS *file servers*, you need to additionally allow UDP traffic to
> ports 7000, 7005, and 7007 from any system that might be an AFS client.
> You also need to allow connections from your master to upclient if you're
> running upclient; unfortunately, it looks like upclient might pick a
> random high-numbered port (?).
> For AFS *database servers*, you need to allow UDP traffic to ports 7002,
> 7003, 7004, and 7007 from any AFS client. If you're running the kaserver,
> you also need to allow UDP traffic to ports 88 and 750.
> Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>
> OpenAFS-info mailing list
If you are using the native backup software you need to open 7021 on the database server