[Veritas-bu] backing up a firewall (not through it)

Hello Tim

Having worked with Firewall 1 before, I think a lot of the information that
you've been getting could be a bit confusing, particularly with the description
of outgoing ports described on the website that someone replied with.

I think I have it figured out and I think I may be able to put it in Firewall-1
terms however, this is from memory, it's been a while since I've had a
Firewall-1 machine to worry about.

Anyway:

   - establish a TCP/IP service named bpcd, set the destination port to 13782
   and the source port range to be 512-1024
   - establish a TCP/IP service named bprd, set the destination port to 13720
   and the source port range to be 512-1024
   - establish a TCP/IP service named bpdbm, set the destination port to 13721
   and the source port range to be 512-1024
   - establish a TCP/IP service named bpdata, set the destination port to 5000
   (or a range from 1025-5000 depending on how many streams you wish to support,
   I would just support the one and set RANDOM_PORTS to NO).   The documentation
   is a bit vague about the source ports for this so I would set the source
   ports to 512-65535 (it may be the standard non-priviledged range 1024-65535
   or it may be the rsh authentication style priviledged of 512-1024, note
   ALLOW_NONRESERVED_PORTS would cause the usage of the non-priviledged range).
   - establish a group of services named Netbackup-to-server, put bpdbm, and
   bprd into it
   - establish a group of services named Netbackup-to-clients, put bpcd, and
   bpdata into it
   - establish a rule with the Netbackup servers in the From column and the
   Firewall in the To column and Netbackup-to-clients as the services, Put
   ACCEPT in the action column
   - establish a rule with the Firewall in the From column and the Netbackup
   servers in the To column and Netbackup-to-server as the services, Put ACCEPT
   in the action column (you may also want short logging for this as they would
   represent client initiated action).
   - save the ruleset, test, compile and install

Firewall 1 will take care of all the complementary connections back to the
source ports so additional rules aren't needed targeting the 512-1024 ports as
documented in the various URL's people have sent you.

If your Firewall-1 is managed by people who actually know what they are doing,
tell them:
   Open out going (firewall to netbackup servers) TCP ports 13720 and 13721 from
   priviledged
   Open incoming (netbackup servers to firewall) TCP ports 13782 and 5000 from
   priviledged

They should be able to figure it out from there, note they will probably be
upset about the priviledged part, try to explain that it's due to the old Unix
rexec authentication style and is for security, but if they are still grumpy,
tell them to use non-priviledged and set the ALLOW_NONRESERVED_PORTS everywhere
you can and set the port windows to be 1024-65535 (Linux people try to say use
1024-5000).

Also note that to support multiple streams you'll need a range of incoming ports
open equal to the number of concurrent streams decremented from 5000 if
RANDOM_PORTS is set to NO but could be any ports between 1025 and 5000 is you
use random ports which is the default.

Note yet again that most commercial sites allow all outgoing initiated sessions
hence when configuring to backup a client outside a firewalled area, you can
usually forget about the data ports altogether.   Note yet yet again, the policy
of allowing all outgoing ports is why companies are so vulnerable to trojan
viruses that export confidential information when inadvertently invoked by a
user (this was how Microsoft was hacked).

Regards,
John I Wang
Sr. Systems Engineer
Steverson Information Professionals

---
Enron Broadband Services
3 Allen Center 3AC872e
ph (713) 345-6863
pg pagejwang AT skytel DOT com





|--------+----------------------->
|        |          Tim.McMurphy@|
|        |          telus.com    |
|        |                       |
|        |          03/22/01     |
|        |          06:43 PM     |
|        |                       |
|--------+----------------------->
  >----------------------------------------------------------------------------|
  |                                                                            |
  |       To:     veritas-bu AT mailman.eng.auburn DOT edu                      
      |
  |       cc:     (bcc: John Wang/Contractor/Enron Communications)             |
  |       Subject:     [Veritas-bu] backing up a firewall (not through it)     |
  >----------------------------------------------------------------------------|



I have read through the mailling list on this one and have tried but don't
seem to be getting network connection with netbackup (I can ping ok from the
fw to the backup server).

Netbackup 3.4
error 41 network connection timed out

I am trying to backup a firewall, not through a firewall, just backup the
firewall. Of course the fw admins don't want to open up many ports. I have
the client installed on the firewall.

1) What is the minimum ports per fw to do a backup?

2) Here is the config. Will this work?
On the client (the firewall) I have in bp.conf
ALLOW_NON_RESERVED_PORTS
SERVER_PORT_WINDOW = 13740 13750
CLIENT_PORT_WINDOW = 13740 13750
RANDOM_PORTS = NO

On the backup server (master) I have this in bp.conf
ALLOW_NON_RESERVED_PORTS
SERVER_PORT_WINDOW = 13740 13750
CLIENT_PORT_WINDOW = 13740 13750
RANDOM_PORTS = NO

The firewall folks have allowed the following:
TCP on port 13782, 13720 & 13740 to 13750

I have tried most permutations of the above commands and I am obviously
missing something. Any ideas?

Thanks
_______________________________________________
Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu