Re: [Networker] IPTABLES on Networker Server?
2009-06-15 11:00:13
Frank,
Thank you very much for the helping hand. This is exactly what
I've been looking for. Made my day.
Matt
Francis Swasey wrote:
On 6/15/09 10:32 AM, Matt Temple wrote:
1. What do you do, if anything about the "service ports"?
I don't do anything about the service ports on the server and storage
nodes. I use the NetWorker defaults there. If you really want to
lock it down, there are documents that describe in detail how many
ports are needed on the server and each storage node (it is a
calculation based on the number and type of devices attached to the
system) -- and the values used in the calculation changes with each
release.
2. You don't need an opening for portmapper (111)? Is that just for
clients?
I ignore portmapper on the clients and server. EMC/NetWorker keeps
claiming they've stopped using that port -- so, I don't allow it --
and NetWorker keeps being upset by it, but eventually times out and
goes to udp 7938 like it is supposed to.
3. On my clients, I have the following entries (this works):
-m state --state NEW -m tcp -p tcp --dport 7937 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7938 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7939 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
I use nsrports on my clients to limit the service ports to 7937-7940
and have the following rules:
-m state --state NEW -m tcp -p tcp -s <server ip>/32 --dport 7937:7940
-j ACCEPT
-m udp -p udp -s <server ip>/32 --dport 7938 -j ACCEPT
-m state --state ESTABLISHED,RELATED -j ACCEPT
As only the server will make a "NEW" connection to the client, that is
the ONLY ip that needs to access the nsrexecd ports.
4. Any idea what a storage node would need?
I use the same rules on my storage nodes that I do on the server.
Again, thanks very much. I assume you're running some version >= 7.3.
We're running 7.4.
I'm running 7.4sp4. I won't be moving to 7.5 until EMC fixes the
client side problem with nsrexecd not starting up if nsrports has been
used to limit it to just the four ports it needs.
I think you are going to have to get your DMZ firewall people to allow
traffic to pass between each of the clients and the server and storage
nodes. The service ports are just part of the process. I've not done
anything with the "connection ports" -- which are the ports that the
server, storage nodes, and clients open up and tell the other end to
connect to -- and that traffic is going to have to pass freely between
the protected network and the DMZ or backups will not happen.
--
=============================================================
Matthew Temple Tel: 617/632-2597
Director, Research Computing Fax: 617/582-7820
Dana-Farber Cancer Institute mht AT research.dfci.harvard DOT edu
44 Binney Street, LW250 http://research.dfci.harvard.edu
Boston, MA 02115 Choice is the Choice!
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|
|
|