First, all IP fragments (after the first) must be permitted through the router because the port information is only contained in the first frag. These are harmless, because they cannot be delivered to any process until they have been reassembled, and they cannot be reassembled without the first frag. You will filter the first frag based on the port and protocol, of course. (Theoretically speaking, someone could implement a Trojan protocol that looks like IP frags, and stuff it into the kernel of your servers, but if they can do that, they can also steal everything, so it's not worth thinking about). Note that we don't use TCP at all, so you can filter out all IP frag 0's with proto=TCP. Now, let me define my notation. I'm assuming you want to provide only access to internal servers for external users. If you want to do the reverse, also, just swap the meanings of I and E below. I ==> server on internal network E ==> client on external network so, "src E 7001 --> dst I 7000" means a packet from a cache manager bound to a file server inside your firewall. These types of packets must be permitted through the firewall in order to permit *unauthenticated* access to AFS by external users. src E 7001 -> dst I 7000 dst E 7001 <- src I 7000 src E 7001 -> dst I 7003 dst E 7001 <- src I 7003 These packets must be permitted also, in order to permit authentication. This does not permit the use of Kerberos 4 authentication, so it protects against the most serious Kerberos vulnerability (offline dictionary attacks on the known plaintext in a ticket). Personally, I wouldn't lose sleep over the other Kerberos vulnerabilities. src E (various) -> dst I 7006 dst E (various) <- src I 7006 The following packets might be useful for miscellaneous "vos" commands, but aren't *strictly* necessary. src E (various) -> dst I 7003 dst E (various) <- src I 7003 src E (various) -> dst I 7005 dst E (various) <- src I 7005 The following exchanges are necessary to permit users to modify private groups. src E (various) -> dst I 7002 dst E (various) <- src I 7002 I don't believe that the other ports (with the possible rare exception of 7007 and 7101) have much call for being accessed by outside users. If you are having problems and need support from Transarc, they might ask you to disable the filtering for certain other ports so they can gather some debug data. For instance: src E (various) -> dst I 7000 (or 7001) dst E (various) <- src I 7000 (or 7001) might be used to gather statistics. 7000 fileserver 7001 cache manager callback service 7002 ptserver 7003 vlserver (vldb) 7004 kaserver 7005 volserver (volume management) 7006 Unused (was called "afserror") 7007 bosserver 7008 upserver 7009 AFS/NFS Translator rmtsys remote pioctl 7010 AFS 3.1 backup coordinator 7011-7017 AFS 3.1 backup tape controllers 7020 AFS 3.2 backup coordinator 7021 AFS 3.2 backup buserver 7025-7032 AFS 3.2 backup tape controllers 7101 xstat
