> On 5 Aug 2014, at 14:08, Brandon Allbery <[email protected]> wrote: > >> On Tue, 2014-08-05 at 09:30 +0200, Alex wrote: >> Now, I didn't find in the admin guide or wiki[1] some useful >> information >> about client's firewall, but I could find some information on the >> Internet saying that client doesn't work without opening 7001 for >> incoming UDP [2]. This should be open for callbacks (if I understood >> correctly). I also tested the client behind NAT with some public cells >> and it worked well. So, does a client work behind a firewall NAT even >> without opening inbound ports? If not, is there any solution for this? > > You will get basic client functionality even without opening the port. > What you won't get is notifications from the server that something the > server knows to be cached on the client has been modified elsewhere and > the client should flush its cached information (this is the "callback").
This isn't actually the case, because of the complexities of imposing connections on top of UDP. Because UDP is a connectionless protocol, a firewall that blocked all inbound UDP packets would prevent any two way UDP conversations from occurring. Instead what firewalls and NATs do is open a hole/mapping for inbound packets that matches the path taken by the outbound ones. Because the cache manager listens for incoming callback breaks on the same port as it uses to send packets to the fileserver, this means that a firewall hole for callbacks is created as a side effect of the original connection. This is how AFS continues to work in the face of the Mac OS X firewall, for example The complication is that firewalls/NATs only preserve these mappings for a finite length of time. We attempt to keep them open through regular fileserver pings, but sometimes that isn't enough. When a mapping expires, the client is unable to receive callbacks until it next contacts the fileserver. Cheers, Simon_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
