We had a client that we had to do a restore on through a firewall and it
wouldn't work until we opened 111, even after we had 7937-9936 open.
-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
Behalf Of Francis Swasey
Sent: Friday, July 10, 2009 6:26 AM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: Re: [Networker] firewall rule ports confirmed
On 7/10/09 6:34 AM, mark wragge wrote:
> Could someone confirm that the only requirement for a firewall rule
for a backup of a networker client is port 7937-7941 in both directions.
>
> We have a firewall rule configured and nsrports -s 7937-7941 command
run on the client. . I can even communicate to port 7937 in both
directions using telnet but the backup fails.
>
> The firewall logs appear to show that ports other than 7937-7941 are
being used by the backup server.
>
> The backup is unsuccessful unless i open the source ports in full in
the firewall rule.
> Our firewall rule has two fields called Low and High under "source
port" and Low and High under "destination port". If i configure source
port to have defaults of 1 and 65535 and destination port to have 7937
and 7941 then the backup is successful. But the source ports should also
be 7937 - 7941
>
> Details are:
> The client is windows server 2003 networker 7.4.3
> The networker server is windows 2003, networker 7.4.3
> The firewall is Fortigate firewall 500A Mr6 Patch 3.0
>
> Thanks for any advice.
I will tell you that you are wrong.
The backup server will use four ports (so you can limit the inbound
"SYN" connections to just
four ports -- but you HAVE to use nsrports on the client to make sure it
is only using those
same four ports). Once the initial connection has been made, they go
all over the place (by
default). You really need to read and understand the section in the
Administrators guide about
backing up through a firewall.
Using iptables on Linux clients, we allow "related, established"
connections to come through,
all connections to go out (from the client), and limit the backup server
to coming in on tcp
7937-7940, and udp 7938. That allows everything to work.
If your firewall requires that you specify all inbound and outbound
traffic -- you either need
to use nsrports on your nsrserverhost, storage nodes, and clients to
limit the connection ports
(-C) and service ports (-S) or find a new firewall.
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|