Networker
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Networker] iptables firewall blocking access to nsrexecd on client?

2005-10-02 14:31:26
Subject: Re: [Networker] iptables firewall blocking access to nsrexecd on client?
From: Gary Goldberg <og AT DIGIMARK DOT NET>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Sun, 2 Oct 2005 14:24:30 -0400 
Unfortunately there are $21,000 reasons why I can't, in my case. Besides,
apart from this problem the software still works well, and enabling the
proper firewall rules will solve the problem as effectively. -Gary

--
-- "You can't take a picture of this. It's already gone."
Gary Goldberg KA3ZYW <og AT digimark DOT net> V:301/249-6501 F:301/390-1955 
AIM:OgGreeb
Digital Marketing/Bowie MD/Systems & Networks Consult <http://www.digimark.net/>

On Sun, 2 Oct 2005, Hrvoje Crvelin wrote:


Gary,

6.1.x is no longer supported - why don't you simply upgrade?

Cheers,
H


-----Original Message-----
From: Legato NetWorker discussion
[mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On Behalf Of Gary Goldberg
Sent: 02 October 2005 17:01
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] iptables firewall blocking access to
nsrexecd on client?


Hello. I'm using a NetWorker 6.13 Windows backup server and
jukebox with 7 other
clients, mostly RH9 Linux and a Win2K server. Everything was
going fine for the
most part.

I've been working to beef up the iptables firewall on one of
the linux servers in
response to the recent security vulnerability reported


http://www.legato.com/support/websupport/product_alerts/081605
_NW-7x.htm

Since Legato is not going to release a patch for version 6
NetWorker, and since
I really should have this firewalled anyway, (the servers are
publicly accessible
web and mail servers). I added these iptable entries on the client:

# Accept Legato Networker
-A INPUT -p tcp -m tcp -s {backup.server} --dport 7937:7938 -j ACCEPT
-A INPUT -p udp -m udp -s {backup.server} --dport 7937:7938 -j ACCEPT

and I have FORWARD and INPUT default polices DROP, OUTPUT
policy ACCEPT. The machine has
only one LAN interface (eth0) and I have also set this rule
on the loopback
interface:

-A INPUT -i lo -j ACCEPT

Plus a general:

-A OUTPUT -j ACCEPT

Here's the problem -- since activating the iptables
configuration, the nightly
backup still runs successfully, but I get this error message
in the Group
report:

* client:/ NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
                  Service not available.
V client: /                         level=full,   1485 MB
00:23:20  84893 files
* client:/boot NetWorker: Cannot contact nsrexecd service on
client.digimark.net,
                  Service not available.
V client: /boot                     level=full,     10 MB
00:00:10     39 files
...

and so on. The backup *is* working though. When I look for
running nsrexecd on
the client, I get this:

[user@client mail]$ ps -efH | grep nsr
user      6687  6510  0 10:53 pts/1    00:00:00           grep nsr
root      5703     1  0 Oct01 ?        00:00:00   /usr/sbin/nsrexecd
root      5705  5703  0 Oct01 ?        00:00:00     /usr/sbin/nsrexecd

So both expected nsrexed instances are running (daemon and
portmapper).

Clearly the problem is the iptables firewall is interfering.
Can anyone suggest
what additional rules I should add or tweak to the
configuration so that the
backup server can reach the client properly?

Thanks in advance. -Gary

--
-- "You can't take a picture of this. It's already gone."
Gary Goldberg KA3ZYW <og AT digimark DOT net> V:301/249-6501
F:301/390-1955 AIM:OgGreeb
Digital Marketing/Bowie MD/Systems & Networks Consult
<http://www.digimark.net/>

To sign off this list, send email to
listserv AT listserv.temple DOT edu and type "signoff networker" in the
body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER


********** Disclaimer **********

Created by Orchestra Service GmbH (http://www.orchestra.de)

The contents of this e-mail are intended for the named
addressee only. It contains information which may be
confidential and which may also be privileged.
Unless you are the named addressee (or authorised to receive
for the addressee) you may not copy or use it, or disclose it
to anyone else.
If you received it in error please notify us immediately and
then destroy it.

This footnote confirms that this email message has been scanned
for the presence of malicious code, vandals & computer viruses.
***************************************************************





To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Networker] Commvault Galaxy (Was: Re: [Networker] de-install the Legato 6.1 or 7.1 RMAN module for Oracle on HP UX), Oscar Olsson
Next by Date:  Re: [Networker] iptables firewall blocking access to nsrexecd on client?, Oscar Olsson
Previous by Thread:  [Networker] iptables firewall blocking access to nsrexecd on client?, Gary Goldberg
Next by Thread:  Re: [Networker] iptables firewall blocking access to nsrexecd on client?, Oscar Olsson
Indexes:  [Date] [Thread] [Top] [All Lists]