Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Firewall fun

2009-06-23 15:57:32
Subject: Re: [Bacula-users] Firewall fun
From: Arno Lehmann <al AT its-lehmann DOT de>
To: bacula-users <bacula-users AT lists.sourceforge DOT net>
Date: Tue, 23 Jun 2009 21:52:09 +0200 
Hi,

23.06.2009 17:04, Dirk Bartley wrote:
> Sure,  iptables allows for connection based rules as well as the old
> ipchains style rules based rules.
> 
> So your probably using connection based rules like :
> iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT 
> iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
> 
> just add something like
> 
> iptables -A INPUT -p tcp --source fd_dmz_ipaddress --destination
> sd_internal_address --dport 9103 ACCEPT

Yup. That should work.

But back to your problem, Dirk: Have you tried the "heartbeat 
interval" setting? That should generate some traffic so that the pix 
doesn't time-out the seemingly stale connection.

Arno

> Or something to that effect.  This just accepts without considering
> whether a connection has been established.  At least that's my
> understanding of it, I've been less than perfect before though.
> 
> Dirk
> 
> On Tue, 2009-06-23 at 10:20 -0400, Matthew Komar wrote:
>> I'm having a similar issue with a machine that is behind a pfSense 
>> firewall (which is iptables based). Do you have a quick fix for me?
>>
>> Dirk Bartley wrote:
>>> Greetings
>>>
>>> Moved a machine into a dmz behind a pix515e firewall.  Created a rule to
>>> allow the fd to connect to the sd and it seems to work, except for one
>>> little peculiarity on a larger backup job.
>>>
>>> On a server that backs up about 60GB, it fails at the very tail end of
>>> the backup.  The firewall log is showing that it is tearing down the tcp
>>> connection due to a TCP Reset-I then denying the connection a bit later.
>>>
>>> I'm not finding much I can do in the firewall to solve the issue.  I was
>>> contemplating putting a direct connection cable beween the fd and the sd
>>> to solve this.  (Darn cisco, if this firewall was iptables, a solution
>>> would be easy)
>>>
>>> Anybody have any other ideas??
>>>
>>> Thanks in advance for any assistance.
>>>
>>> Dirk
>>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Are you an open source citizen? Join us for the Open Source Bridge conference!
> Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
> Need another reason to go? 24-hour hacker lounge. Register today!
> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
> 

-- 
Arno Lehmann
IT-Service Lehmann
Sandstr. 6, 49080 Osnabrück
www.its-lehmann.de

------------------------------------------------------------------------------
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] (no subject), Arno Lehmann
Next by Date:  Re: [Bacula-users] File daemon at .... rejected Hello command, Arno Lehmann
Previous by Thread:  Re: [Bacula-users] Firewall fun, Dirk Bartley
Next by Thread:  Re: [Bacula-users] Firewall fun, Dirk Bartley
Indexes:  [Date] [Thread] [Top] [All Lists]