[OpenAFS] Nat & Ports Question
Brandon S. Allbery KF8NH
allbery@ece.cmu.edu
Fri, 12 Feb 2010 18:18:05 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-212--53323202
Content-Type: multipart/alternative; boundary=Apple-Mail-211--53323275
--Apple-Mail-211--53323275
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On Feb 12, 2010, at 17:41 , J wrote:
> Also, I see that I need port 88 open to authenticate, which on one
> hand makes sense since this is a Kerberos port. But most of the
> documentation I've read about AFS says I only need ports open in the
> 7000 range (specifically 7001) for minimal file server access, so I
> was wondering if I'm missing something there.
Most of the documentation is a little out of date; the "only ports in
the 700[0-9]/UDP range" is from when AFS provided its own
authentication (kaserver) and time services, but these days it's
strongly preferred to use Kerberos (more secure; there are unfixable
protocol-level flaws in the ancient Kerberos implementation used by
kaserver) and NTP/SNTP (more accurate, and in a global network it's
better for everyone to use a common global time reference), so servers
should also expose 88/TCP (and sometimes 750/TCP, but you probably
don't care) and all machines should use 123/UDP.
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH
--Apple-Mail-211--53323275
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><div>On Feb 12, 2010, at =
17:41 , J wrote:</div><blockquote type=3D"cite"><table cellspacing=3D"0" =
cellpadding=3D"0" border=3D"0" style=3D"position: static; z-index: auto; =
"><tbody><tr><td valign=3D"top" style=3D"font: inherit;"><div>Also, I =
see that I need port 88 open to authenticate, which on one hand makes =
sense since this is a Kerberos port. But most of the documentation =
I've read about AFS says I only need ports open in the 7000 range =
(specifically 7001) for minimal file server access, so I was wondering =
if I'm missing something there.</div> =
</td></tr></tbody></table></blockquote></div><div><br></div><div>Most of =
the documentation is a little out of date; the "only ports in the =
700[0-9]/UDP range" is from when AFS provided its own authentication =
(kaserver) and time services, but these days it's strongly preferred to =
use Kerberos (more secure; there are unfixable protocol-level flaws in =
the ancient Kerberos implementation used by kaserver) and NTP/SNTP (more =
accurate, and in a global network it's better for everyone to use a =
common global time reference), so servers should also expose 88/TCP (and =
sometimes 750/TCP, but you probably don't care) and all machines should =
use 123/UDP.</div><br><div apple-content-edited=3D"true"> <span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 11px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div =
style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 11px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div><font =
class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">-- </span></span></font></div><div><font class=3D"Apple-style-span"=
face=3D"Monaco"><span class=3D"Apple-style-span" style=3D"font-family: =
Monaco; "><span class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">brandon s. allbery [solaris,freebsd,perl,pugs,haskell] <a =
href=3D"mailto:allbery@kf8nh.com">allbery@kf8nh.com</a></span></span></fon=
t></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">system =
administrator [openafs,heimdal,too many hats] <a =
href=3D"mailto:allbery@ece.cmu.edu">allbery@ece.cmu.edu</a></span></span><=
/font></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">electrical =
and computer engineering, carnegie mellon university =
KF8NH</span></span></font></div><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><br =
class=3D"Apple-interchange-newline"></span></span></span></div></span> =
</div><br></body></html>=
--Apple-Mail-211--53323275--
--Apple-Mail-212--53323202
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
iEYEARECAAYFAkt14bkACgkQIn7hlCsL25V+rgCdECS57E6Uv8TtDWBD/NlKO1HL
DasAoMCIDWB5Uo/nU9NRjnmyu8sp3xPA
=9SLi
-----END PGP SIGNATURE-----
--Apple-Mail-212--53323202--