Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] firewall rule ports confirmed

2009-07-10 07:30:28
Subject: Re: [Networker] firewall rule ports confirmed
From: Francis Swasey <Frank.Swasey AT UVM DOT EDU>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 10 Jul 2009 07:25:53 -0400 
On 7/10/09 6:34 AM, mark wragge wrote:
Could someone confirm that the only requirement for a firewall rule for a backup of a networker client is port 7937-7941 in both directions. We have a firewall rule configured and nsrports -s 7937-7941 command run on the client. . I can even communicate to port 7937 in both directions using telnet but the backup fails. The firewall logs appear to show that ports other than 7937-7941 are being used by the backup server. The backup is unsuccessful unless i open the source ports in full in the firewall rule. 
Our firewall rule has two fields called Low and High under "source port" and Low and High 
under "destination port". If i configure source port to have defaults of 1 and 65535 and 
destination port to have 7937 and 7941 then the backup is successful. But the source ports should 
also be 7937 - 7941
Details are: 
The client is windows server 2003 networker 7.4.3
The networker server is windows 2003, networker 7.4.3
The firewall is Fortigate firewall  500A Mr6 Patch 3.0
Thanks for any advice. 

I will tell you that you are wrong.
The backup server will use four ports (so you can limit the inbound "SYN" connections to just four ports -- but you HAVE to use nsrports on the client to make sure it is only using those same four ports). Once the initial connection has been made, they go all over the place (by default). You really need to read and understand the section in the Administrators guide about backing up through a firewall.
Using iptables on Linux clients, we allow "related, established" connections to come through, all connections to go out (from the client), and limit the backup server to coming in on tcp 7937-7940, and udp 7938. That allows everything to work.
If your firewall requires that you specify all inbound and outbound traffic -- you either need to use nsrports on your nsrserverhost, storage nodes, and clients to limit the connection ports (-C) and service ports (-S) or find a new firewall. 

--
Frank Swasey                    | http://www.uvm.edu/~fcs
Sr Systems Administrator        | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
  "I am not young enough to know everything." - Oscar Wilde (1854-1900)

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] firewall rule ports confirmed, mark wragge
Next by Date:  [Networker] Recuperar el contenido de una cinta re-etiquetada / How i can recover data from relabeling tape ?, Felix Pablo Grande
Previous by Thread:  [Networker] firewall rule ports confirmed, mark wragge
Next by Thread:  Re: [Networker] firewall rule ports confirmed, Chester Martin
Indexes:  [Date] [Thread] [Top] [All Lists]