Veritas-bu

[Veritas-bu] nbu through a firewall

2001-02-16 11:49:19
Subject: [Veritas-bu] nbu through a firewall
From: Dana Bourgeois Dana AT slamdunknetworks DOT com
Date: Fri, 16 Feb 2001 08:49:19 -0800
> N> From: Dana Bourgeois [mailto:Dana AT slamdunknetworks DOT com]
> > Sent: Wednesday 14 February, 2001 17:21
>
> > netbackup will work through a firewall.  It will not work through NAT.
> > NAT will fool it into trying to connect directly to the firewall
> > which is not what you want and the firewall will never allow and which
> > wouldn't work properly even if you let it happen.
>
> yes but no. depends the kind of NAT you're using. if you're
>doing 1 -> 1 or n -> m, it could work. if you're doing n -> 1,
>it won't never work, as from the server point of vue, all clients
>seem to come from the same IP address.
>
> the underlying thing is that NB connection depends on
>its capacity to associate a name and an IP address. that's why
>everything that mess with IP <-> name relation will complicate
>NB work: Linux/*BSD ipfw, *BSD ipnat, Cisco PIX and so on, once
>again, depending the configuration.
>
> Amicalement,
>             fx
>
>#include <std_disclaimer.h>
>
>--
>     fx AT veritas DOT com       | To have no errors
>François-Xavier Peretmere | would be life without meaning.
> http://www.veritas.com/  | No struggle, no joy.

Have you gotten this to work?  I understand the theory of why you think it
would work but if you haven't tried it yourself then until someone reports
that they have it working, I would rather overgeneralize about NAT than make
assumptions.  

The NBU client checks the far end of the TCP-IP connection (I watched it
wtih truss on Solaris) then does a reverse lookup based on the IP address it
finds and if it is successful, then tries to bind on this address which the
firewall steadfastly refuses to allow.  (If it is unsuccessful because you
don't have your firewall in your DNS, it fails with a "host not found".  I
saw that one too.  In fact, it later compares the far end IP and name with
the server name and can fail on that match as well.  Ask me how I know,
<nudge><nudge><wink><wink>.)  I *know* this fails with single-hiding-address
NAT.  It might with 1-1 NAT for the same reason.  I don't have the time to
set up a test like this so if you have done so, I appreciate knowing your
results.

I can report that once NAT was removed, NBU worked just fine.
Unfortunately, I can't report what it is now doing since I don't have time
to go back and check why it is working.  


Dana Bourgeois
Slam Dunk Networks 
Digital Mechanic & Network Janitor
1.650.632-5543
1.650.996-5687  [cell]





<Prev in Thread] Current Thread [Next in Thread>