Paul Blackburn wrote:
>
> Joe,
>
> I don't believe you can use NAT with AFS because
> it is my understanding that client IP addresses are part
> of the payload in AFS network traffic.
Joe,
We run our AFS servers NAT'd behind a firewall, and they are seen by
clients both inside and outside of the firewall (including clients at
other sites which are NAT'd behind their local firewall).
To make this work, the servers have to be "virtually multi-homed". That
is, they only need one physical interface (i.e. behind the firewall,
primary interface set to 10.10.10.x), but they should also have a
virtual interface set to their "public" address. For a Sun server, for
instance, set "hme0" to the 10.10.10.x address, and "hme0:1" to the
address by which it is known outside of the firewall.
Clients must then have the appropriate CellServDB information, depending
on whether they are on the same side of the same firewall as the servers
they are trying to reach. For instance, if I own the class C address
space "128.100.250", and NAT to 10.10.10.x addresses inside the
firewall, clients inside the same firewall will have:
>foo.net # our afs server
10.10.10.200 afs1
10.10.10.201 afs2
10.10.10.202 afs3
while clients outside will have:
>foo.net #our afs server
128.100.250.200 afs1
128.100.250.201 afs2
128.100.250.202 afs3
Mind you, to date I have only tried this with UNIX clients and servers.
Your mileage on NT may differ.
This approach was suggested to me by John Morin in AFS Development at
IBM/Transarc, for which I thank him.
>
> NAT will not modify this embedded data.
>
> For this reason, I believe you cannot socksify AFS traffic.
>
> I think you need a routed connection through
> a packet filtering router.
>
> Otherwise, you could make a Virtual Private Network (VPN)
> between your server and clients. With a VPN, all your traffic
> is encrypted along the tunnel.
>
> Most modern firewall products support VPN.
> I know the IBM SecureWay product does.
> --
> cheers
> paul http://acm.org/~mpb
>
> Joe Ramus wrote:
>
> > We are interested in using the new inexpensive "personal firewall"
> > devices for our Telecommute employees. We use NT systems with an
> > AFS Client and either DSL or Cable access.
> >
> > These Personal Firewall devices typically use NAT for the protected system
> > behind the Firewall. We have tested such a system and we find that
> > AFS does not work (or we have not made it work).
> >
> > Will AFS work when the Server is outside the Firewall (on the Internet)
> > and NAT is used for systems behind the Firewall? Assuming that we do
> > not Block the AFS packets (I think ports 7000 to 7003).
> >
> > Does the AFS server need to know the actual IP address of the
> > AFS client?
> >
> > ------------------------------------------------------------------------
> > | Joe Ramus ESnet, LBNL, Berkeley, CA (510) 486-8683 [EMAIL PROTECTED] |
> > ------------------------------------------------------------------------
--
steve lammert unix administrator voice: +1-412-471-7500 x4712
[EMAIL PROTECTED] Be Free, Inc. fax: +1-412-471-9840
