* Mark.Donaldson at cexp.com <Mark.Donaldson at cexp.com> [2006-09-14 13:48]:
> There's a whole section on this in the SAG.
>  
> Shortanswer, you need "bpcd" from the master or media server to the
> client, "vnetd" the reverse direction.  You have to make sure you
> configure the client for "no callback connections" via the bpclient
> command or, no doubt, someplace in the GUI.
>  
> Users on the client cannot perform their own restores using this.  I'm
> told, but have not verified, that you can enable "bprd" from client to
> master to allow this.

Speaking as a backup guy who is now on the firewall team, using vnetd is
by far the recommended way of dealing with the firewall.  If all you are
dealing with is backup servers to client machine, the short list is:

Server -> Client   port 13782 (bpcd)
Client -> Server   ports 13724 (vnetd) and 13720 (bprd)

Yes client initiated restores will work with just these ports.  If your
backup servers are hanging off of a DMZ so that your admin clients using
the Java GUI need to get access, you can also use:

Admin Client -> Server ports 13722 (bpjava) and 13724 (vnetd)

 This will also require the /usr/openv/java/nbj.conf file setting of
 NBJAVA_CONNECT_OPTION=1 (default is 0)

The only downside to vnetd that I have heard of but not seen personally
is that you are limited to a single stream for backups, which could
impact your backup model if you are trying to use NEW_STREAM file
directives.  If that is the case, you can configure port ranges and I
highly recommend using ALLOW_NON_RESERVED_PORTS as part of that.  Using
low ports (<1024) by default is one of the stupidest things NBU ever did.

-- 
David Rock
david at graniteweb.com