[OpenAFS] Firewall politics and AFS deployment

Tim Spriggs tims@lpl.arizona.edu
Tue, 27 Sep 2005 17:04:55 -0700 (MST) 

Hi Simeon,

I am not an expert in AFS but I have setup an afs cell behind a firewall
that was publicly available. However, it is by far not the easiest setup
to install and it definitely makes life harder in troubleshooting.

Also, there can be some complications when fileserver machines have more
than one IP if they are not both global because they report their own
primary IP to the database servers automatically. This means that machines
can try to contact a non-routable IP if that is the ip for the primary
interface of the fileserver.

Our AFS cluster (still being tested and built) uses machines on global ip
addresses. Also, we put our afs information into DNS so that the cell can
be reached automagically by a default afs setup anywhere. Troubleshooting
has been very easy and has elminiated the guesswork of having a firewall
in front of the servers.

Hope this helps,
-Tim

  /++--._.--++\  .                     _.-._
       \|/                           /+
        |       /|\  /| _.-._.-._   <{
        +        |    |/         \   \_
       /_\      _|_   |           |    ^=-._
                                            \
Lunar and Planetary Lab                     }>
(520) 626 - 4991 -- SS 416                 _/
_______________________________________.-=$/  <|>

1629 E. University Blvd.
University of Arizona

On Tue, 27 Sep 2005, Noel Burton-Krahn wrote:

> Hi Simeon,
>
> Port forwarding would do the trick, but AFS requires several ports.  How
> about setting up a VPN to allow external clients access to your AFS servers?
> I use www.natnix.com.
>
> --Noel
>
> ----- Original Message -----
> From: "Simeon Miteff" <simeon@up.ac.za>
> To: <openafs-info@openafs.org>
> Sent: Tuesday, September 27, 2005 7:37 AM
> Subject: [OpenAFS] Firewall politics and AFS deployment
>
>
> > Dear All
> >
> > We're facing a difficult problem with our planned deployment of AFS here
> > at the University of Pretoria. I'm hoping that we can gain some insight
> > into how things work on other similar networks. I apologise in advance for
> > the long post, unfortunately I can't think of a short way to explain our
> > problem.
> >
> > Background:
> >
> > UP has 4 different NIS/NFS domains run by individual departments on our
> > campus who use UNIX. The central IT department has historically only
> > catered for Windows clients, and we never had any central HPC resources,
> > or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem
> > within these "unix pockets", as there was no inter-departimental
> > collaboration and/or resource sharing on a systems level.
> >
> > Now, recently, we obtained some hardware to build a common university
> > cluster, and  that (among other things) has prompted us to look to AFS as
> > a solution for making access to shared clusters/machines transparent to
> > users. The idea is for each of these NIS/NFS domains to become 4 separate
> > AFS cells.
> >
> > Now the problem:
> >
> > Some years ago our network used to be fairly open/lightly firewalled (as I
> > imagine most university networks were). Then some machines got hacked
> > (*cough*windows*cough*), and then a decision was made to change the
> > network to a Internet--->DMZ---->LAN type of setup. The LAN has
> > transparent access to the DMZ, but not vice-versa.
> >
> > Now, external collaborators (untrusted as far as our IT dept. is
> > concerned), need to access some of the clusters. This is a
> > political/funding issue which we cannot compromise on. The solution was to
> > put those clusters in the DMZ.
> >
> > If we want to deploy AFS clients on these cluster hosts, we'll need to
> > either:
> >
> > 1) Open a handful of ports on the DMZ firewall to the LAN, for each
> > file/db/kerberos/ldap server on the LAN (something which our IT dept is
> > strongly opposed to).
> >
> > 2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to
> > any machine on campus (they're unhappy about that too, but I guess we have
> > a better chance of convincing them to allow this option).
> >
> > Option 1) seems to be the most reasonable from the UNIX admin's
> > perspective, as it will not require us to make major changes to the way we
> > plan to deploy our AFS cells on the LAN, but it's the path of most
> > resistance in terms of politics.
> >
> > Option 2) is more likely to happen in terms of politics, but defeats the
> > point of a nice distributed AFS system.
> >
> > Looking at the public CellServDB, I can't help wondering how AFS servers
> > are connected at other universities? Are we overly firewalled? Do other
> > HPC centres maintain separate AFS cells for cluster users?
> >
> > Any thoughts?
> >
> > Kind regards,
> > Simeon.
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>