Hi Simeon,
Port forwarding would do the trick, but AFS requires several ports. How
about setting up a VPN to allow external clients access to your AFS servers?
I use www.natnix.com.
--Noel
----- Original Message -----
From: "Simeon Miteff" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, September 27, 2005 7:37 AM
Subject: [OpenAFS] Firewall politics and AFS deployment
Dear All
We're facing a difficult problem with our planned deployment of AFS here
at the University of Pretoria. I'm hoping that we can gain some insight
into how things work on other similar networks. I apologise in advance for
the long post, unfortunately I can't think of a short way to explain our
problem.
Background:
UP has 4 different NIS/NFS domains run by individual departments on our
campus who use UNIX. The central IT department has historically only
catered for Windows clients, and we never had any central HPC resources,
or UNIX file servers, etc. The shortcomings of NIS/NFS was never a problem
within these "unix pockets", as there was no inter-departimental
collaboration and/or resource sharing on a systems level.
Now, recently, we obtained some hardware to build a common university
cluster, and that (among other things) has prompted us to look to AFS as
a solution for making access to shared clusters/machines transparent to
users. The idea is for each of these NIS/NFS domains to become 4 separate
AFS cells.
Now the problem:
Some years ago our network used to be fairly open/lightly firewalled (as I
imagine most university networks were). Then some machines got hacked
(*cough*windows*cough*), and then a decision was made to change the
network to a Internet--->DMZ---->LAN type of setup. The LAN has
transparent access to the DMZ, but not vice-versa.
Now, external collaborators (untrusted as far as our IT dept. is
concerned), need to access some of the clusters. This is a
political/funding issue which we cannot compromise on. The solution was to
put those clusters in the DMZ.
If we want to deploy AFS clients on these cluster hosts, we'll need to
either:
1) Open a handful of ports on the DMZ firewall to the LAN, for each
file/db/kerberos/ldap server on the LAN (something which our IT dept is
strongly opposed to).
2) Move all our AFS servers to the DMZ and open port 7001 from the DMZ to
any machine on campus (they're unhappy about that too, but I guess we have
a better chance of convincing them to allow this option).
Option 1) seems to be the most reasonable from the UNIX admin's
perspective, as it will not require us to make major changes to the way we
plan to deploy our AFS cells on the LAN, but it's the path of most
resistance in terms of politics.
Option 2) is more likely to happen in terms of politics, but defeats the
point of a nice distributed AFS system.
Looking at the public CellServDB, I can't help wondering how AFS servers
are connected at other universities? Are we overly firewalled? Do other
HPC centres maintain separate AFS cells for cluster users?
Any thoughts?
Kind regards,
Simeon.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
