[OpenAFS] Which inbound ports need to be open for AFS servers?

[Russ Allbery]

Jason Edgecombe <jason@rampaginggeek.com> writes:

> In light of the recent security announcement, I would like to review the
> open firewall ports on my AFS servers.
>
> For quick reference, here are the ports from the afsd man page:
>
>          fileserver      7000/udp
>          cachemanager    7001/udp
>          ptserver        7002/udp
>          vlserver        7003/udp
>          kaserver        7004/udp (not needed with Kerberos v5)
>          volserver       7005/udp
>          reserved        7006/udp (for future use)
>          bosserver       7007/udp
>
> Which of these ports need to be open inbound for off-site clients to work
> properly?

7000 and 7005 on file servers, 7002 and 7003 on VLDB servers.  7007 only
if you want to allow bos access from off-site.

> Would it hurt anything to block port 7001 inbound on a fileserver or DB
> server running an AFS client?

No.  You only need port 7001 open to AFS file servers that you want to
talk to.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>