Frank,

Matt

Francis Swasey wrote:

On 6/15/09 10:32 AM, Matt Temple wrote:

1. What do you do, if anything about the "service ports"?

I don't do anything about the service ports on the server and storage nodes. I use the NetWorker defaults there. If you really want to lock it down, there are documents that describe in detail how many ports are needed on the server and each storage node (it is a calculation based on the number and type of devices attached to the system) -- and the values used in the calculation changes with each release.

2. You don't need an opening for portmapper (111)?   Is that just for
clients?

I ignore portmapper on the clients and server. EMC/NetWorker keeps claiming they've stopped using that port -- so, I don't allow it -- and NetWorker keeps being upset by it, but eventually times out and goes to udp 7938 like it is supposed to.

3. On my clients, I have the following entries (this works):

-m state --state NEW -m tcp -p tcp --dport 7937 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7938 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7939 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-m state --state NEW -m udp -p udp --dport 111 -j ACCEPT

I use nsrports on my clients to limit the service ports to 7937-7940 and have the following rules:

-m state --state NEW -m tcp -p tcp -s <server ip>/32 --dport 7937:7940 -j ACCEPT

-m udp -p udp -s <server ip>/32 --dport 7938 -j ACCEPT
-m state --state ESTABLISHED,RELATED -j ACCEPT

As only the server will make a "NEW" connection to the client, that is the ONLY ip that needs to access the nsrexecd ports.

4. Any idea what a storage node would need?

I use the same rules on my storage nodes that I do on the server.

Again, thanks very much.   I assume you're running some version >= 7.3.
We're running 7.4.

I'm running 7.4sp4. I won't be moving to 7.5 until EMC fixes the client side problem with nsrexecd not starting up if nsrports has been used to limit it to just the four ports it needs.

I think you are going to have to get your DMZ firewall people to allow traffic to pass between each of the clients and the server and storage nodes. The service ports are just part of the process. I've not done anything with the "connection ports" -- which are the ports that the server, storage nodes, and clients open up and tell the other end to connect to -- and that traffic is going to have to pass freely between the protected network and the DMZ or backups will not happen.

--
=============================================================
Matthew Temple                Tel:    617/632-2597
Director, Research Computing  Fax:    617/582-7820
Dana-Farber Cancer Institute  mht AT research.dfci.harvard DOT edu
44 Binney Street, LW250       http://research.dfci.harvard.edu
Boston, MA 02115              Choice is the Choice!

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER