[OpenAFS] AFS in the age of the wild west internet
Tue, 3 May 2016 17:22:10 +0200
On 03/04/2016 04:04 PM, Steve Gaarder wrote:
> While I really like the concept of AFS as a world-wide filesystem, I'm
> starting to wonder if it's a good idea in the modern age of cyberattacks.
> How safe is it to leave AFS open to the world?
> Some of the data we store in AFS does not need to be accessed from
> outside of our network; is there a good way of blocking access to it
> from outside while preserving access to other data in the cell?
Guess this would work on a per-volume base, but not with a mix of
restricted content and other data in a single volume (unless you just
trust the AFS ACL protections, per Brandon's reply).
Put the restricted data (AFS volumes) and all replicas on separate
fileservers, have these on a non-routed (but accessible within your
site) network or at the minimum firewalled on the AFS
fileserver/volservers ports (UDP 7000,7005; add UDP 7007 = bosserver for
Keep the VolDB servers accessible from the evil internet.