[OpenAFS] NAT issues.

Jeffrey Hartwigsen jrhartwigsen@linkp.com
Wed, 26 Apr 2006 20:01:41 -0500

ted creedon wrote:
> For what its worth, an identical problem was solved by placing the afs
> server on a DMZ running its own firewall, installing 2 nic cards, one
> internal and one external, and writing firewall rules to match. Only afs
> traffic is allowed from the internal net to the afs server which also is the
> KRB5 server.
> Setting appropriate firewall logging rules helps as well as nmap and snort
> to verify the firewall integrity.
> The clients can be behind remote firewalls. All clients grab tokens from the
> external net interface....
> tedc

That was an option we discussed some here. Isn't AFS pretty finicky 
about how reverse lookup works? So wouldn't having it's host name 
resolve to two separate IP's confuse it? Or is that why you restrict the 
internal nic to AFS traffic only? Can you still use AFSDB records on the 
internal DNS?