[OpenAFS] Which inbound ports need to be open for AFS servers?

Russ Allbery rra@stanford.edu
Mon, 06 Apr 2009 18:34:33 -0700

Jason Edgecombe <jason@rampaginggeek.com> writes:

> In light of the recent security announcement, I would like to review the
> open firewall ports on my AFS servers.
> For quick reference, here are the ports from the afsd man page:
>          fileserver      7000/udp
>          cachemanager    7001/udp
>          ptserver        7002/udp
>          vlserver        7003/udp
>          kaserver        7004/udp (not needed with Kerberos v5)
>          volserver       7005/udp
>          reserved        7006/udp (for future use)
>          bosserver       7007/udp
> Which of these ports need to be open inbound for off-site clients to work
> properly?

7000 and 7005 on file servers, 7002 and 7003 on VLDB servers.  7007 only
if you want to allow bos access from off-site.

> Would it hurt anything to block port 7001 inbound on a fileserver or DB
> server running an AFS client?

No.  You only need port 7001 open to AFS file servers that you want to
talk to.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>