Coda File System

Re: Coda and firewalls - not really using well known ports

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Sun, 4 Feb 2001 16:11:49 -0500
On Sun, Feb 04, 2001 at 01:20:36PM -0500, Brad Clements wrote:
> Apparently part of the coda protocol negotiates the use of dynamic ports, 
> other than the ones listed in the coda documentation.

A recent client with the masquerade=1 option enabled in the venus.conf
file will `connect' from some local udp port to udp port 2432 on the
codaserver. It will use the same local port for the lifetime of the
venus process. All communication will be limited to these ports.

Without the masquerade option, venus uses udp 2430 and 2431 to
communicate with 2432 and 2433 on the server. The 2431/2433 ports are
used for the data transfers, and the server->client communication is
blocked by masquerading firewalls.

clog/cpasswd/au will communicate from an arbitrary local port to 370/udp
where the auth2 daemon is listening.

As far as server-server, updateclnt-updatesrv, and volutil-server are
concerned, Servers are assumed to be co-located (i.e. in the same
machine room), so they will have problems with firewalls. I don't think
that `fixing' this is very important as it actually improve security (or
at least obscurity) of these daemons behind a firewall.

> This causes real problems with firewalls and such.
> 
> What's the best way to fix this?  Can someone point me towards the 
> offending sub-system or code? Maybe I can take a whack at the problem.

Eh, it doesn't really fall into any subsystem. It involves (at least)
the following daemons and applications: updateclnt, updatesrv, volutil,
codasrv, backup.

Jan
Received on 2001-02-04 16:12:00