Manel Rodero wrote:
I've set firewall rules between Legato client/servers so that only the
standard ports 7937-9936 and 10001-30000 are allowed. Some of our
clients fail sometimes and when this happens we can see that the
firewall is blocking the communications because its source/target ports
like in this fragment:
Server = 10.10.1.8
The rules we have are the following:
ALLOW
From Legato Clients (10001-30000) --> To Legato Server (7937-9936)
- This rule is for client starting connections to the server
ALLOW except SYN
From Legato Clients (7937,7938) --> To Legato Server (Any)
- This rule is for receiving the response of server starting connections
FWIW these are wrong.
It should be as follows:
From clients to server:
From 10000-30000 to 7937-9936 TCP
From server to clients:
From 10000-30000 to 7937-7938 TCP
There is no need for a rule that has packets originating from 7937-7938,
you have misread the instructions. There is no need for a rule for ANY.
Do you know why clients are trying to connect for example to port 909 in
the server?
This will be for something other than NetWorker and will not stop the
backups working.
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|