[OpenAFS] Solaris 10 ipfilter vs. AFS

Robert Banz banz@umbc.edu
Thu, 20 Sep 2007 11:45:47 -0400 

Here's a fragment of what I use on my AFS servers.

You really don't want to state-track your AFS stuff.  You really  
don't want ipfilter to have to keep track of all of that -- if your  
cell is reasonably busy, those internal tables will get rather big.   
I just pass in/out the frags -- you could probably refine that to  
just allow the AFS stuff if you're so inclined.

---


# stupid
pass in all with frag
pass out all with frag
# cache manager callback for the local client,
pass in quick proto udp from any to any port = 7001
# don't bother doing session tracking for AFS-stuff
pass out quick proto udp from any port = 7001 to any

# AFS fileserver stuff
pass in quick proto udp from any to any port = 7000
pass out quick proto udp from any port = 7000 to any

# nobody from outside should be looking at our volserver
pass in quick proto udp from 130.85.0.0/255.255.0.0 to any port = 7005
pass out quick proto udp from any port = 7005 to any

# nobody from outside should be looking at our bosservers
pass in quick proto udp from 130.85.0.0/255.255.0.0 to any port = 7007
pass out quick proto udp from any port = 7007 to any

# in/out udp to the db servers w/o state checking
pass out quick from any to 130.85.24.101
pass in quick from 130.85.24.101 to any
pass out quick from any to 130.85.24.23
pass in quick from 130.85.24.23 to any
pass out quick from any to 130.85.24.87
pass in quick from 130.85.24.87 to any

# can talk tcp/udp to anything else with state
pass out proto udp from any port != 7001 to any keep state

# stateless tcp
pass out quick proto tcp from any to any
pass in quick proto tcp from any to any flags A/A
pass in quick proto tcp from any to any flags R/R


On Sep 20, 2007, at 11:12, Eric Sturdivant wrote:

>
> Is anyone using AFS (either client or server) on a solaris 10  
> system with ipfilter running that can share their rule sets?
>
> I am seeing large numbers of blocked fragmented packets, which is  
> killing the performance.
>
> My ruleset looks something like this:
>
> pass out all keep state keep frags
> block in log all
> pass in log quick proto udp from any port 6999 >< 7010 to any port =
> 	afs3-callback keep state keep frags
> pass in log quick proto udp from any to any port = afs3-fileserver  
> keep
> 	state keep frags
> pass in log quick proto udp from any to any port = afs3-volser keep  
> state
> 	keep frags
> pass in log quick proto udp from any to any port = afs3-errors keep  
> state
> 	keep frags
> pass in log quick proto udp from any to any port = afs3-bos keep state
> 	keep frags
> pass in log quick proto udp from any to any port = afs3-update keep  
> state
> 	keep frags
> pass in log quick proto udp from any to any port = afs3-rmtsys keep  
> state
> 	keep frags
>
>
> And ipmon is showing blocked packets like this:
>
> 20/09/2007 10:41:00.390703 2x bge0 @0:14 b hecate.umd.edu 
> [128.8.10.23] -> wrath.umd.edu[128.8.70.25] PR udp len 20 (1500)  
> frag +-1480@1480 IN
>
>
>
>
>
> -- 
> Eric Sturdivant
> University of Maryland
> Office of Information Technology
> Distributed Computing Services
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>