[OpenAFS] Firewall politics and AFS deployment

Simeon Miteff simeon@up.ac.za
Tue, 27 Sep 2005 16:37:30 +0200 (SAST)

Dear All

We're facing a difficult problem with our planned deployment of AFS here 
at the University of Pretoria. I'm hoping that we can gain some insight 
into how things work on other similar networks. I apologise in advance for 
the long post, unfortunately I can't think of a short way to explain our 


UP has 4 different NIS/NFS domains run by individual departments on our 
campus who use UNIX. The central IT department has historically only 
catered for Windows clients, and we never had any central HPC resources, 
or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem 
within these "unix pockets", as there was no inter-departimental 
collaboration and/or resource sharing on a systems level.

Now, recently, we obtained some hardware to build a common university 
cluster, and  that (among other things) has prompted us to look to AFS as 
a solution for making access to shared clusters/machines transparent to 
users. The idea is for each of these NIS/NFS domains to become 4 separate 
AFS cells.

Now the problem:

Some years ago our network used to be fairly open/lightly firewalled (as 
I imagine most university networks were). Then some machines got hacked 
(*cough*windows*cough*), and then a decision was made to change the 
network to a Internet--->DMZ---->LAN type of setup. The LAN has 
transparent access to the DMZ, but not vice-versa.

Now, external collaborators (untrusted as far as our IT dept. is 
concerned), need to access some of the clusters. This is a political/funding 
issue which we cannot compromise on. The solution was to put those 
clusters in the DMZ.

If we want to deploy AFS clients on these cluster hosts, we'll need to 

1) Open a handful of ports on the DMZ firewall to the LAN, for each 
file/db/kerberos/ldap server on the LAN (something which our IT dept is 
strongly opposed to).

2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to 
any machine on campus (they're unhappy about that too, but I guess we have 
a better chance of convincing them to allow this option).

Option 1) seems to be the most reasonable from the UNIX admin's 
perspective, as it will not require us to make major changes to the way 
we plan to deploy our AFS cells on the LAN, but it's the path of most 
resistance in terms of politics.

Option 2) is more likely to happen in terms of politics, but defeats the 
point of a nice distributed AFS system.

Looking at the public CellServDB, I can't help wondering how AFS servers 
are connected at other universities? Are we overly firewalled? Do other 
HPC centres maintain separate AFS cells for cluster users?

Any thoughts?

Kind regards,