On Sun, 14 Feb 2010 17:17:08 +0100 Jörg Herzinger <[email protected]> wrote:
> I am planning a small OpenAFS setup for an environmental care > organization and I got some small questions about DNS names that > should be used. DNS doesn't much matter to AFS; it just deals with IP addresses. DNS is generally just used for input and output to/from administrative commands for convenience. (Not counting AFSDB/SRV records, since that's not what you're talking about) > Everything is behind a NAT Firewall and we got a local DNS Server > that isnt caching. So I got my local ip 192.168.x.y with my local DNS > name "afs" and the global ip "a.b.c.d" and "afs.mydomain.com". The > local DNS has a custom suffix which i am planning to change to > mydomain.at some time in the future but one step at a time. > My question would be if it is possible to use the local DNS names for > my AFS server and still connect from outside my firewall? What would > be the correct CellServDB and NetInfo settings or do I need a NetInfo > at all if I just use local IPs and DNS Names? You can sort of do this, though it's probably a lot easier if you just use the global IP everywhere. If you configure the fileserver to advertise both the internal and external addresses, all of the clients will try to contact the fileserver both via 192.168.x.y and a.b.c.d. That means that even clients from outside the NAT may try to contact 192.168.x.y, which be a security issue in the worst case, since 192.168.x.y could be a different machine for clients outside your NAT. It would be nice if we had the ability to provide a split-horizon VLDB, so you could advertise the address a.b.c.d to clients outside the NAT, and 192.168.x.y to those inside. But OpenAFS doesn't really currently have the functionality to do that (it's on the wishlist as I recall), though it could in theory be possible to hack something together to do that. If you just make everything use a.b.c.d for fileserver access, it can simplify things. In order to get the fileserver to advertise the a.b.c.d address, you need to use a NetInfo file with the contents f a.b.c.d and if you also want to advertise the 192.168.x.y address, put that in there too, on its own line (without the 'f'). For the ptserver/vlserver processes, if you only have one server, it's fairly simple; just point the CellServDB entry at the global a.b.c.d address. Of course, for any of this to work, you need to forward the correct ports from a.b.c.d to the fileserver/dbserver inside the NAT. > P.S.: Please give support for the Nokia N900. That would be the most > awesome thing to think of. :D Doesn't this exist? I thought Derrick and Jason got this working some time ago. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
