[OpenAFS] NAT issues.

ted creedon tcreedon@easystreet.com
Wed, 26 Apr 2006 18:49:08 -0700

NetInfo keeps everything straight. There are also 2 other afs servers on 
the internal net that replicate to the dual homed server every night via 
the non routable class A address 10.1.1.x..

The packet logs bear this out.

It also works, for whatever reason.


Jeffrey Hartwigsen wrote:
> ted creedon wrote:
>> For what its worth, an identical problem was solved by placing the afs
>> server on a DMZ running its own firewall, installing 2 nic cards, one
>> internal and one external, and writing firewall rules to match. Only afs
>> traffic is allowed from the internal net to the afs server which also 
>> is the
>> KRB5 server.
>> Setting appropriate firewall logging rules helps as well as nmap and 
>> snort
>> to verify the firewall integrity.
>> The clients can be behind remote firewalls. All clients grab tokens 
>> from the
>> external net interface....
>> tedc
> That was an option we discussed some here. Isn't AFS pretty finicky 
> about how reverse lookup works? So wouldn't having it's host name 
> resolve to two separate IP's confuse it? Or is that why you restrict 
> the internal nic to AFS traffic only? Can you still use AFSDB records 
> on the internal DNS?
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info