In the distant past, I used to add several ACCEPT rules for afs in
ipchains or iptables when using openafs clients. But somewhere in time
I stopped doing this (not conciously -- it just slipped my mind when
making my checklist at some point), yet I've never noticed a problem
while using the default iptables rules that end with a default REJECT in
my SL installations. I've gotten a couple bits of different advice from
individuals and the web (for instance: http://help.unc.edu/?id=5513 )
indicating that I need firewall rules in place, but they don't all seem
to quite match up and I'm not familiar enough with afs and/or kerberos
communications to know what's really necessary.
So, first the short question: should I be adding firewall rules when
using SL 3/4/5 with the SL openafs-client packages?
If yes, then a medium (?) question: what rules should I add?
Long (?) question: How can I demonstrate a failure if I don't have the
firewall rules in place? A related question -- why haven't I noticed a
problem before?
-Wayne
- openafs client and iptables Wayne Betts
-
