|
|
|
|
|
|
|
  |
||||||
|
|
|||||
|
       |
|||||
|
||||||
|
 |
|||||
|
WolfCall: Interoperation with Firewalls |
|||||
One of the intents of the WolfCall project is to provide access to the NCSU AFS network from the homes of Students, Faculty, and Staff. This goal is made more difficult by the presence of Firewalls and NAT Routers in many such places. This document explains how to properly set up WolfCall and your firewall to allow remote file access.
NAT Routers
(aka Broadband Routers, NAT Servers, IP Masquerading, and IP Tables)
Anyone using WolfCall behind an internet connection sharing device must check the box labeled "Use Addressless tickets" in the "Misc" tab.
Why?
Most internet connection sharing devices employ a technology called "Network Address Translation", which allows multiple computers to share
a single internet address. Exactly how this is accomplished is beyond the scope of this document, but more information can be found
here.
One consequence of NAT is that the client computers (your computers at home) have "fake" internet addresses, which are not apparent to any of the computers outside your home network. This is fine in most situations, as the NAT Router automatically translates the addresses.
However, the Kerberos authentication protocol used by AFS has a built-in address checking, which is intended to prevent your authentication from being "hijacked" by an attacker. If one of your Kerberos tickets is cracked by someone spying on the network, the attacker will still not be able to use the ticket as he or she will not have the correct network address.
Unfortunately, a home machine behind a NAT Router will also fail the address check. Since machines behind NAT Routers do not know their "real" network addresses, they will request tickets for the wrong address, and will be promptly turned away by the Kerberos server.
This problem led the Kerberos developers to reconsider the address check. Since ticket hijacking can only occur after a Kerberos ticket is cracked -- a highly unlikely scenario -- it was decided to provide a way to disable the address check. The result is "addressless tickets", whose address field is empty.
Firewalls
We will assume that anyone running a port-blocking firewall knows what it is, and how to configure it. The ports you will need to open are as follows:
Kerberos
88 UDP (Outgoing)
4444 UDP (Outgoing)
AFS
7000-7007 UDP (Outgoing)
7001 UDP (Incoming)
D-Link DI-604/614/614+
These particular routers appear to aggressively intercept and reroute DNS traffic, where other routers generally just provide an optional proxy DNS service. This behavior breaks Hesiod lookups, which are a subset of DNS traffic. Go here to see how to do hesiod lookups from the command line.
The errors generated by WolfCall will generally look like:
Getting Home Directory failed: [1] (Hesiod-getHomeDir:Filsys lookup error [15])
To fix the problem, configure your router to use one or more of NC State's DNS servers (152.1.1.22, 152.1.1.208, 152.1.1.206, 152.1.1.161, 152.1.1.248, or 152.1.2.22).
Technical Documents
Interoperation with Firewalls
![< to Top]](../Media/graphics/footer_links/top_arrow.gif){kind=icon}
![[ ENGR Template ]](../Interface/images/banner.gif){kind=small}