ted creedon wrote:
For what its worth, an identical problem was solved by placing the afs
server on a DMZ running its own firewall, installing 2 nic cards, one
internal and one external, and writing firewall rules to match. Only afs
traffic is allowed from the internal net to the afs server which also is the
KRB5 server.
Setting appropriate firewall logging rules helps as well as nmap and snort
to verify the firewall integrity.
The clients can be behind remote firewalls. All clients grab tokens from the
external net interface....
tedc
That was an option we discussed some here. Isn't AFS pretty finicky
about how reverse lookup works? So wouldn't having it's host name
resolve to two separate IP's confuse it? Or is that why you restrict the
internal nic to AFS traffic only? Can you still use AFSDB records on the
internal DNS?
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
