Here's a fragment of what I use on my AFS servers.
You really don't want to state-track your AFS stuff. You really
don't want ipfilter to have to keep track of all of that -- if your
cell is reasonably busy, those internal tables will get rather big.
I just pass in/out the frags -- you could probably refine that to
just allow the AFS stuff if you're so inclined.
---
# stupid
pass in all with frag
pass out all with frag
# cache manager callback for the local client,
pass in quick proto udp from any to any port = 7001
# don't bother doing session tracking for AFS-stuff
pass out quick proto udp from any port = 7001 to any
# AFS fileserver stuff
pass in quick proto udp from any to any port = 7000
pass out quick proto udp from any port = 7000 to any
# nobody from outside should be looking at our volserver
pass in quick proto udp from 130.85.0.0/255.255.0.0 to any port = 7005
pass out quick proto udp from any port = 7005 to any
# nobody from outside should be looking at our bosservers
pass in quick proto udp from 130.85.0.0/255.255.0.0 to any port = 7007
pass out quick proto udp from any port = 7007 to any
# in/out udp to the db servers w/o state checking
pass out quick from any to 130.85.24.101
pass in quick from 130.85.24.101 to any
pass out quick from any to 130.85.24.23
pass in quick from 130.85.24.23 to any
pass out quick from any to 130.85.24.87
pass in quick from 130.85.24.87 to any
# can talk tcp/udp to anything else with state
pass out proto udp from any port != 7001 to any keep state
# stateless tcp
pass out quick proto tcp from any to any
pass in quick proto tcp from any to any flags A/A
pass in quick proto tcp from any to any flags R/R
On Sep 20, 2007, at 11:12, Eric Sturdivant wrote:
Is anyone using AFS (either client or server) on a solaris 10
system with ipfilter running that can share their rule sets?
I am seeing large numbers of blocked fragmented packets, which is
killing the performance.
My ruleset looks something like this:
pass out all keep state keep frags
block in log all
pass in log quick proto udp from any port 6999 >< 7010 to any port =
afs3-callback keep state keep frags
pass in log quick proto udp from any to any port = afs3-fileserver
keep
state keep frags
pass in log quick proto udp from any to any port = afs3-volser keep
state
keep frags
pass in log quick proto udp from any to any port = afs3-errors keep
state
keep frags
pass in log quick proto udp from any to any port = afs3-bos keep state
keep frags
pass in log quick proto udp from any to any port = afs3-update keep
state
keep frags
pass in log quick proto udp from any to any port = afs3-rmtsys keep
state
keep frags
And ipmon is showing blocked packets like this:
20/09/2007 10:41:00.390703 2x bge0 @0:14 b hecate.umd.edu
[128.8.10.23] -> wrath.umd.edu[128.8.70.25] PR udp len 20 (1500)
frag [EMAIL PROTECTED] IN
--
Eric Sturdivant
University of Maryland
Office of Information Technology
Distributed Computing Services
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
