Re: [Networker] iptables firewall blocking access to nsrexecd on client?
2005-10-02 14:31:26
Unfortunately there are $21,000 reasons why I can't, in my case. Besides,
apart from this problem the software still works well, and enabling the
proper firewall rules will solve the problem as effectively. -Gary
--
-- "You can't take a picture of this. It's already gone."
Gary Goldberg KA3ZYW <og AT digimark DOT net> V:301/249-6501 F:301/390-1955
AIM:OgGreeb
Digital Marketing/Bowie MD/Systems & Networks Consult <http://www.digimark.net/>
On Sun, 2 Oct 2005, Hrvoje Crvelin wrote:
Gary,
6.1.x is no longer supported - why don't you simply upgrade?
Cheers,
H
-----Original Message-----
From: Legato NetWorker discussion
[mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Gary Goldberg
Sent: 02 October 2005 17:01
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] iptables firewall blocking access to
nsrexecd on client?
Hello. I'm using a NetWorker 6.13 Windows backup server and
jukebox with 7 other
clients, mostly RH9 Linux and a Win2K server. Everything was
going fine for the
most part.
I've been working to beef up the iptables firewall on one of
the linux servers in
response to the recent security vulnerability reported
http://www.legato.com/support/websupport/product_alerts/081605
_NW-7x.htm
Since Legato is not going to release a patch for version 6
NetWorker, and since
I really should have this firewalled anyway, (the servers are
publicly accessible
web and mail servers). I added these iptable entries on the client:
# Accept Legato Networker
-A INPUT -p tcp -m tcp -s {backup.server} --dport 7937:7938 -j ACCEPT
-A INPUT -p udp -m udp -s {backup.server} --dport 7937:7938 -j ACCEPT
and I have FORWARD and INPUT default polices DROP, OUTPUT
policy ACCEPT. The machine has
only one LAN interface (eth0) and I have also set this rule
on the loopback
interface:
-A INPUT -i lo -j ACCEPT
Plus a general:
-A OUTPUT -j ACCEPT
Here's the problem -- since activating the iptables
configuration, the nightly
backup still runs successfully, but I get this error message
in the Group
report:
* client:/ NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
Service not available.
V client: / level=full, 1485 MB
00:23:20 84893 files
* client:/boot NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
Service not available.
V client: /boot level=full, 10 MB
00:00:10 39 files
...
and so on. The backup *is* working though. When I look for
running nsrexecd on
the client, I get this:
[user@client mail]$ ps -efH | grep nsr
user 6687 6510 0 10:53 pts/1 00:00:00 grep nsr
root 5703 1 0 Oct01 ? 00:00:00 /usr/sbin/nsrexecd
root 5705 5703 0 Oct01 ? 00:00:00 /usr/sbin/nsrexecd
So both expected nsrexed instances are running (daemon and
portmapper).
Clearly the problem is the iptables firewall is interfering.
Can anyone suggest
what additional rules I should add or tweak to the
configuration so that the
backup server can reach the client properly?
Thanks in advance. -Gary
--
-- "You can't take a picture of this. It's already gone."
Gary Goldberg KA3ZYW <og AT digimark DOT net> V:301/249-6501
F:301/390-1955 AIM:OgGreeb
Digital Marketing/Bowie MD/Systems & Networks Consult
<http://www.digimark.net/>
To sign off this list, send email to
listserv AT listserv.temple DOT edu and type "signoff networker" in the
body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
********** Disclaimer **********
Created by Orchestra Service GmbH (http://www.orchestra.de)
The contents of this e-mail are intended for the named
addressee only. It contains information which may be
confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive
for the addressee) you may not copy or use it, or disclose it
to anyone else.
If you received it in error please notify us immediately and
then destroy it.
This footnote confirms that this email message has been scanned
for the presence of malicious code, vandals & computer viruses.
***************************************************************
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|