healthy installation on os x does not connect at some locations

Wed Oct 4 09:55:47 CEST 2006

I want to thank once more everyone who responded my mail. I am  
contacting my sysadmin to see if he can fix the firewall.

Meanwhile, I found that the presence of the client connection from  
pdc to my Mac:7001 does not affect the work of arla afs. I made a NAT  
rule at home and opened OS X to listen on 7001, so that /usr/openafs/ 
sbin/rxdebug from pdc sees my Mac. I found that nothing changed in my  
(working) afs connection.

Sincerely
Anton

On Sep 29, 2006, at 13:41, Anton Grigoriev wrote:

> Thank you very mach, Harald!
> It was very useful.
>
> What I found is that
> 1) If I can connect to pdc, then I have response on rxdebug towards  
> sculpin like
> AFS version:  OpenAFS 1.4.0 built  2006-03-06
> otherwise I have no responce
> get version call failed with code -1, errno 0
>
> 2) I never have any response backwards, i.e. from lise to my Mac  
> 7001 , even if I can connect to afs.
> get version call failed with code -1, errno 0
> 2.a) I will change that at home via opening 7001 in OS X firewall  
> _and_ setting appropriate NAT rule in the router.  Still, I do not  
> (yet ) see the effect on connectivity. It works without a client.
>
> 3) I have a) UU firewall ??? b) department's firewall c) OS X  
> firewall. d) more firewalls???
> NB the setting called 'location' is always the same so computer  
> thinks it is in the same place, but with DHCP, so that IP is  
> different.
> My OS X firewall is set to reject udp in stelth mode. Changing this  
> does not change connectability.
> 3.a) System administrators are payed for being paranoid. For this  
> reason all laptops at my dept are connected OUTSIDE of the dept  
> firewall, so that they will not kill the system inside.
> This leaves the Q if anyone at UU can mount afs from pdc. It also  
> could be that OS X firewall feels the change off location  
> somehow ... Ore there is yet another firewall in between. I will  
> find out.
>
> Sincerely
>
> Anton
>
>
> On Sep 28, 2006, at 15:12, Harald Barth wrote:
>
>>
>>> My guess is that there is a firewall blocking the ports that AFS  
>>> uses (udp
>>> 7000-7003 or so).  You could try running /usr/arla/bin/rxdebug  
>>> against
>>> those ports on some interesting hosts (like  
>>> {anna,lise,houting}.pdc.kth.se)
>>> to see if you get any packets through at all.  Try rxdebug at  
>>> home or PDC
>>> and compare results.
>>
>> At PDC rxdebug is in /usr/openafs/sbin/rxdebug
>>
>> The following commands should give output
>> from your MAC:
>>
>>   Against one of the AFS DB servers:
>>
>>   rxdebug anna.pdc.kth.se 7007 -version
>>   rxdebug anna.pdc.kth.se 7003 -version
>>
>>   Against the fileserver your $HOME is on:
>>
>>   rxdebug sculpin.pdc.kth.se 7000 -version
>>   rxdebug sculpin.pdc.kth.se 7005 -version
>>
>> The following command should give output
>> when executed on PDC:
>>
>>   /usr/openafs/sbin/rxdebug angr.Fysik.UU.SE 7001 -version
>>
>> The ports are as follows (all UDP):
>>
>> 7007: AFS Volume location database
>> 7003: AFS Users and groups database
>> 7000: File server (files)
>> 7005: File server (volumes)
>> 7001: Client
>>
>
>>> Wrong. I mixed up the numbers.
>>>
>>> The ports are as follows (all UDP):
>>>
>>> 7003: AFS Volume location database
>>> 7002: AFS Users and groups database
>>> 7000: File server (files)
>>> 7005: File server (volumes)
>>> 7001: Client
>>>
>>> And 7007 is bos but not neccessary for you.
>
>
>> So for this to work, the firewall has to be opened for these ports.
>>
>> If your sysadmin has any questions about AFS or firewalls etc, point
>> him to the PDC support.
>>
>> Harald.
>