[OpenAFS] NAT issues.

ted creedon tcreedon@easystreet.com
Wed, 26 Apr 2006 07:30:37 -0700

Using a single NAT firewall set up with Fwbuilder the rule is 
:firewall to any afs and 
:any to firewall afs

The dual homed server listens to both the internal net and the external net.

Kerberos V has to be set up too.

Linksys firewalls don't work with the standard code.

Looking at the packet logs the AFS connection is very, very secure.


-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
On Behalf Of Jeffrey Hartwigsen
Sent: Tuesday, April 25, 2006 10:18 PM
To: openafs-info@openafs.org
Subject: Re: [OpenAFS] NAT issues.

> The work that has gone into 1.4.1 allows the file servers to track the
> clients when the clients move.  It does not allow the file servers to
> communicate with clients when the network paths to the clients no longer
> exist.
> Windows clients running 1.4.0 when idle do not contact the file servers
> but once per hour.  During that time period the NATs will timeout the
> port mappings.  Hence the file servers will not be able to communicate
> with the clients.
> Windows 1.4.1 clients contact the file servers at least once per ten
> minutes.  This is better for most NATs but there are some that will
> timeout the port mappings in under a minute for UDP.
> With 1.5.1 (an unstable release) you can set the probe period via the
> registry to under a minute if you so choose.  Not that I recommend this.
> I would need to see the output of the file server logs at level 125
> to explain to you exactly what is happening.  However, suffice it to
> say that if your NATs do not keep the port mappings open, nothing the
> file server does is going to help.
> Jeffrey Altman

Thank you Jeffrey. That explains a lot about what's happening at least. 
I will send along the file logs tomorrow. I'm assuming kill -TSTP will 
achieve the level you require?
OpenAFS-info mailing list