Using OpenAFS on Windows (Some notes)

A previous student had some recommendations for installing OpenAFS on a Windows machine. I (John Boyland) have edited the information. It provides information on

Using AFS with a firewall

How to use AFS when you have a firewall

Q: How do I use AFS without disabling my entire Norton Internet Security firewall?

A: The following ports need to be opened up:

Open/permit UDP remote ports 7000-7009 (AFS ports) (can permit both incoming and outgoing for simplicity). At least 7001 must be open for incoming connections. Other others need only be outgoing. (http://grand.central.org/twiki/bin/view/AFSLore/WindowsEndUserQuickStartGuide)
Open/permit
- UDP outgoing remote port 88 (Kerberos) and
- UDP outgoing remote port 4444 (Kerberos)
(from http://www.eos.ncsu.edu/wolfcall/firewall.htm (from http://www.google.com/search?num=20&hl=en&lr=lang_en&ie=UTF-8&q=afs+netbios+firewall )
Open/permit UDP local port 139. (NetBios-ssn port) (can permit both incoming and outgoing for simplicity) (from Symantec Norton Internet Security messages and http://kaste.lv/OreilltyBookshelf/networking/puis/appg_01.htm from http://www.google.com/search?num=20&hl=en&lr=lang_en&ie=UTF-8&q=afs+netbios+firewall)
There might be other ports that need to be opened, but were not noticed since they were already open on the firewall used to test this information.

The only port that I (John Boyland) know that must be open for incoming connections is 7001. I keep all outgoing ports open.

Example how to: This change was made from Norton Internet Security. In main pane, click on Personal Firewall. The right pane then displays Turn Off and Configure. Click on Configure. Then on Advanced tab, go to top of list, click on add. Then I added a Permit rule on the top of the list. NOTE! When you initially think you are adding the new rule on the TOP of the list, actually the new rule ends up on bottom initially. You have to move back the rule to near the top of the listing in order to override the other rules. For simplicity, just put both new rules on the top.

Similar considerations concern to use of a DSL "router" where several computers hide behind a single external IP address. The router must be configured to transmit external 7001 ports to the (one) machine that uses AFS. You cannot use AFS reliably on more than one machine sharing a single IP address. It might be possible to broadcast the 7001 messages to all (potential) AFS clients, but I have no idea if this will work.

John Boyland (boyland@cs.uwm.edu)

Last Update: August 31, 2007