Steve,
Thanks for the enlightenment!
So, can you confirm: do you have a "fully functional"
AFS service over NAT/firewall? klog OK?
Apart from the network interface alias on servers,
are there any other things to configure?
Routing issues?
This is most excellent. I'd like to
build a new cell and try it out.
I guess you could make one fileserver "private"
by not having the network interface alias?
--
cheers
paul http://acm.org/~mpb
Steve Lammert wrote:
> [forgive if this is a duplicate message]
>
> Paul Blackburn wrote:
> >
> > Joe,
> >
> > I don't believe you can use NAT with AFS because
> > it is my understanding that client IP addresses are part
> > of the payload in AFS network traffic.
>
> Joe,
>
> We run our AFS servers NAT'd behind a firewall, and they are seen by
> clients both inside and outside of the firewall (including clients at
> other sites which are NAT'd behind their local firewall).
>
> To make this work, the servers have to be "virtually multi-homed". That
> is, they only need one physical interface (i.e. behind the firewall,
> primary interface set to 10.10.10.x), but they should also have a
> virtual interface set to their "public" address. For a Sun server, for
> instance, set "hme0" to the 10.10.10.x address, and "hme0:1" to the
> address by which it is known outside of the firewall.
>
> Clients must then have the appropriate CellServDB information, depending
> on whether they are on the same side of the same firewall as the servers
> they are trying to reach. For instance, if I own the class C address
> space "128.100.250", and NAT to 10.10.10.x addresses inside the
> firewall, clients inside the same firewall will have:
>
> >foo.net # our afs server
> 10.10.10.200 afs1
> 10.10.10.201 afs2
> 10.10.10.202 afs3
>
> while clients outside will have:
>
> >foo.net #our afs server
> 128.100.250.200 afs1
> 128.100.250.201 afs2
> 128.100.250.202 afs3
>
> Mind you, to date I have only tried this with UNIX clients and servers.
> Your mileage on NT may differ.
>
> This approach was suggested to me by John Morin in AFS Development at
> IBM/Transarc, for which I thank him.
>
> >
> > NAT will not modify this embedded data.
> >
> > For this reason, I believe you cannot socksify AFS traffic.
> >
> > I think you need a routed connection through
> > a packet filtering router.
> >
> > Otherwise, you could make a Virtual Private Network (VPN)
> > between your server and clients. With a VPN, all your traffic
> > is encrypted along the tunnel.
> >
> > Most modern firewall products support VPN.
> > I know the IBM SecureWay product does.
> > --
> > cheers
> > paul http://acm.org/~mpb
> >
> > Joe Ramus wrote:
> >
> > > We are interested in using the new inexpensive "personal firewall"
> > > devices for our Telecommute employees. We use NT systems with an
> > > AFS Client and either DSL or Cable access.
> > >
> > > These Personal Firewall devices typically use NAT for the protected system
> > > behind the Firewall. We have tested such a system and we find that
> > > AFS does not work (or we have not made it work).
> > >
> > > Will AFS work when the Server is outside the Firewall (on the Internet)
> > > and NAT is used for systems behind the Firewall? Assuming that we do
> > > not Block the AFS packets (I think ports 7000 to 7003).
> > >
> > > Does the AFS server need to know the actual IP address of the
> > > AFS client?
> > >
> > > ------------------------------------------------------------------------
> > > | Joe Ramus ESnet, LBNL, Berkeley, CA (510) 486-8683 [EMAIL PROTECTED] |
> > > ------------------------------------------------------------------------
>
> --
> steve lammert unix administrator voice: +1-412-471-7500 x4712
> [EMAIL PROTECTED] Be Free, Inc. fax: +1-412-471-9840
