Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Networker] iptables firewall blocking access to nsrexecd on client?

2005-10-02 11:08:42
Subject: [Networker] iptables firewall blocking access to nsrexecd on client?
From: Gary Goldberg <og AT DIGIMARK DOT NET>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Sun, 2 Oct 2005 11:01:10 -0400 
Hello. I'm using a NetWorker 6.13 Windows backup server and jukebox with 7 other
clients, mostly RH9 Linux and a Win2K server. Everything was going fine for the
most part.

I've been working to beef up the iptables firewall on one of the linux servers 
in
response to the recent security vulnerability reported

   http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm

Since Legato is not going to release a patch for version 6 NetWorker, and since
I really should have this firewalled anyway, (the servers are publicly 
accessible
web and mail servers). I added these iptable entries on the client:

# Accept Legato Networker
-A INPUT -p tcp -m tcp -s {backup.server} --dport 7937:7938 -j ACCEPT
-A INPUT -p udp -m udp -s {backup.server} --dport 7937:7938 -j ACCEPT

and I have FORWARD and INPUT default polices DROP, OUTPUT policy ACCEPT. The 
machine has
only one LAN interface (eth0) and I have also set this rule on the loopback
interface:

-A INPUT -i lo -j ACCEPT

Plus a general:

-A OUTPUT -j ACCEPT

Here's the problem -- since activating the iptables configuration, the nightly
backup still runs successfully, but I get this error message in the Group
report:

* client:/ NetWorker: Cannot contact nsrexecd service on client.digimark.net,
                 Service not available.
V client: /                         level=full,   1485 MB 00:23:20  84893 files
* client:/boot NetWorker: Cannot contact nsrexecd service on 
client.digimark.net,
                 Service not available.
V client: /boot                     level=full,     10 MB 00:00:10     39 files
...

and so on. The backup *is* working though. When I look for running nsrexecd on
the client, I get this:

[user@client mail]$ ps -efH | grep nsr
user      6687  6510  0 10:53 pts/1    00:00:00           grep nsr
root      5703     1  0 Oct01 ?        00:00:00   /usr/sbin/nsrexecd
root      5705  5703  0 Oct01 ?        00:00:00     /usr/sbin/nsrexecd

So both expected nsrexed instances are running (daemon and portmapper).

Clearly the problem is the iptables firewall is interfering. Can anyone suggest
what additional rules I should add or tweak to the configuration so that the
backup server can reach the client properly?

Thanks in advance. -Gary

--
-- "You can't take a picture of this. It's already gone."
Gary Goldberg KA3ZYW <og AT digimark DOT net> V:301/249-6501 F:301/390-1955 
AIM:OgGreeb
Digital Marketing/Bowie MD/Systems & Networks Consult <http://www.digimark.net/>

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] de-install the Legato 6.1 or 7.1 RMAN module for Oracle on HP UX, Ed Skolnik
Next by Date:  [Networker] Commvault Galaxy (Was: Re: [Networker] de-install the Legato 6.1 or 7.1 RMAN module for Oracle on HP UX), Oscar Olsson
Previous by Thread:  [Networker] de-install the Legato 6.1 or 7.1 RMAN module for Oracle on HP UX, Ed Skolnik
Next by Thread:  Re: [Networker] iptables firewall blocking access to nsrexecd on client?, Gary Goldberg
Indexes:  [Date] [Thread] [Top] [All Lists]