Mike,
see also:
http://www.angelfire.com/hi/plutonic/afs-faq.html#sub3.17
You need decide what your policy will be.
Have you considered:
a) Do you want your internal AFS cell to be accessible
from any host on the Internet?
Or, do you aim to have selective access for known hosts?
b) Have you considered security issues of having your cell
Internet accessible? Denial of service issues?
I have worked at two sites with two different approaches:
1) Internal cell and external cell
Users could access a restricted access host in a DMZ
which was a client of the external cell with connectivity
to the Internet AFS filetree. External cell is accessible
from Internet The restricted client host also able to access
only the one internal cell (only by /afs)
So, by logging into the restricted access client in the DMZ,
users could klog to any other Internet AFS cell and the
single local internal cell.
2) Internal cell with "outbound only" access for clients to Internet /afs
This configuration required:
a) default route on Intranet out to Internet
b) inbound routing on Internet to Intranet subnet
(enables return traffic from external cells)
c) filters to allow AFS traffic on gateway
d) DENY connectivity inbound to all internal AFS servers
eg: internal/external AFS traffic between
internal clients and external servers only
This is important to make the internal cell
inaccessible to external hosts
This approach meant having a merged CellServDB
containing all internal and external cell details.
Of these two, I prefer the first because I think you have
much better management of connectivity across your
gateway. You only allow AFS traffic from your
restricted access DMZ host to your internal cell.
You can shut this off and your users can still access
Internet AFS via the restricted access DMZ host.
Also, your users on your external cell have full
AFS connectivity with other Internet AFS cells.
I hope this helps.
--
cheers
paul http://acm.org/~mpb
Mike W Ellwood wrote:
> I apologise as I feel this must be a FAQ, but cannot find any
> complete answers in any of the places I've looked:
>
> Our site is protocol-filtering in the routers, as a means of
> selective "firewalling".
>
> Is there a way of permitting all legitimate AFS traffic in both
> directions, while filtering out non-AFS UDP?
>
> I did find the article on www.transarc.com which describes which ports AFS
> uses, but it did not fill me with hope; after giving a list of ports in
> the 7000 area, it then went on to indicate that AFS utilities, including
> klog, use ports on a "next free port" basis, i.e. not very predictably,
> and with no reference to /etc/services.
>
> Thanks,
>
> Mike Ellwood [EMAIL PROTECTED]
