|
Re: [Networker] iptables firewall blocking access to nsrexecd on client?
2005-10-02 16:50:26
-----Original Message-----
From: Gary Goldberg [mailto:og AT DIGIMARK DOT NET]
Sent: Sunday, October 02, 2005 11:01 AM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] iptables firewall blocking access to nsrexecd on
client?
Hello. I'm using a NetWorker 6.13 Windows backup server and jukebox with
7 other
clients, mostly RH9 Linux and a Win2K server. Everything was going fine
for the
most part.
I've been working to beef up the iptables firewall on one of the linux
servers in
response to the recent security vulnerability reported
http://www.legato.com/support/websupport/product_alerts/081605_NW-7x.htm
Since Legato is not going to release a patch for version 6 NetWorker,
and since
I really should have this firewalled anyway, (the servers are publicly
accessible
web and mail servers). I added these iptable entries on the client:
# Accept Legato Networker
-A INPUT -p tcp -m tcp -s {backup.server} --dport 7937:7938 -j ACCEPT
-A INPUT -p udp -m udp -s {backup.server} --dport 7937:7938 -j ACCEPT
and I have FORWARD and INPUT default polices DROP, OUTPUT policy ACCEPT.
The machine has
only one LAN interface (eth0) and I have also set this rule on the
loopback
interface:
-A INPUT -i lo -j ACCEPT
Plus a general:
-A OUTPUT -j ACCEPT
Here's the problem -- since activating the iptables configuration, the
nightly
backup still runs successfully, but I get this error message in the
Group
report:
* client:/ NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
Service not available.
V client: / level=full, 1485 MB 00:23:20
84893 files
* client:/boot NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
Service not available.
V client: /boot level=full, 10 MB 00:00:10
39 files
...
and so on. The backup *is* working though. When I look for running
nsrexecd on
the client, I get this:
[user@client mail]$ ps -efH | grep nsr
user 6687 6510 0 10:53 pts/1 00:00:00 grep nsr
root 5703 1 0 Oct01 ? 00:00:00 /usr/sbin/nsrexecd
root 5705 5703 0 Oct01 ? 00:00:00 /usr/sbin/nsrexecd
So both expected nsrexed instances are running (daemon and portmapper).
Clearly the problem is the iptables firewall is interfering. Can anyone
suggest
what additional rules I should add or tweak to the configuration so that
the
backup server can reach the client properly?
Thanks in advance. -Gary
>>>>>>>>>>>>>
Networker uses RPC calls. You need portmap to be running on both client
and server. You also need to add TCP/UDP 111 to your iptables. You do
NOT need UDP 7937:7938. This should clear up the complaints.
Patti Clark
DOE/OSTI Unix System Admin
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|
