[OpenAFS] NAT issues.
Jeffrey Hartwigsen
jrhartwigsen@linkp.com
Wed, 26 Apr 2006 20:01:41 -0500
ted creedon wrote:
> For what its worth, an identical problem was solved by placing the afs
> server on a DMZ running its own firewall, installing 2 nic cards, one
> internal and one external, and writing firewall rules to match. Only afs
> traffic is allowed from the internal net to the afs server which also is the
> KRB5 server.
>
> Setting appropriate firewall logging rules helps as well as nmap and snort
> to verify the firewall integrity.
>
> The clients can be behind remote firewalls. All clients grab tokens from the
> external net interface....
>
> tedc
>
>
That was an option we discussed some here. Isn't AFS pretty finicky
about how reverse lookup works? So wouldn't having it's host name
resolve to two separate IP's confuse it? Or is that why you restrict the
internal nic to AFS traffic only? Can you still use AFSDB records on the
internal DNS?