Networker

Re: [Networker] Why a client/server communication doesn't use the standard ports?

2007-07-24 21:38:44
Subject: Re: [Networker] Why a client/server communication doesn't use the standard ports?
From: Peter Viertel <Peter.Viertel AT MACQUARIE DOT COM>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Wed, 25 Jul 2007 11:35:09 +1000
It would probably be wise to drop the source port specification from the
firewall rules (the 10000-30000 bit) as the latest NW versions (7.3+)
now use random (ethereal) source ports by default - this can be seen in
nsrports that the Connection port range is 0-0 instead of 10000-30000.

The rule for clients is 4 ports and one of those must be 7938 - the
usual rule for connecting from server to client is thus 7937-7940.

A set of rules that works with all supported revisions of networker is
simply:

ClientIP:Any  TCP ->   Servers:7937-9936
Servers:Any   TCP ->   ClientIP:7937-7940

Where Servers is all relevant Storage Nodes and the Server   (and DR
addresses too!).

There need be no mention of 10000-30000, there are no UDP rules needed,
and there is no need for standard RPC ports to be allowed.

If the rules do not work as intended and you start looking at firewall
logs, both UDP and portmapper packets will be seen, don't get confused
and start letting them through - go back and fix the firewall rules.



The most complete documentation on this is the Firewall Support appendix
in either the 7.3.2 or 7.4 Administration Guides downloadable from
powerlink.



-----Original Message-----
From: EMC NetWorker discussion [mailto:NETWORKER AT LISTSERV.TEMPLE DOT EDU] On
Behalf Of Davina Treiber
Sent: Tuesday, 24 July 2007 10:40 PM
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: Re: [Networker] Why a client/server communication doesn't use
the standard ports?

Manel Rodero wrote:

> I've set firewall rules between Legato client/servers so that only the

> standard ports 7937-9936 and 10001-30000 are allowed. Some of our 
> clients fail sometimes and when this happens we can see that the 
> firewall is blocking the communications because its source/target 
> ports like in this fragment:
> 
> Server = 10.10.1.8
> 
> The rules we have are the following:
> 
> ALLOW
>  From Legato Clients (10001-30000) --> To Legato Server (7937-9936)
> - This rule is for client starting connections to the server
> 
> ALLOW except SYN
>  From Legato Clients (7937,7938) --> To Legato Server (Any)
> - This rule is for receiving the response of server starting 
> connections

FWIW these are wrong.

It should be as follows:

 From clients to server:
 From 10000-30000 to 7937-9936 TCP

 From server to clients:
 From 10000-30000 to 7937-7938 TCP

There is no need for a rule that has packets originating from 7937-7938,
you have misread the instructions. There is no need for a rule for ANY.

> 
> Do you know why clients are trying to connect for example to port 909 
> in the server?

This will be for something other than NetWorker and will not stop the
backups working.

To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the body of the email. Please write to
networker-request AT listserv.temple DOT edu if you have any problems with this
list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or via RSS at
http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

NOTICE
This e-mail and any attachments are confidential and may contain copyright 
material of Macquarie Bank or third parties. If you are not the intended 
recipient of this email you should not read, print, re-transmit, store or act 
in reliance on this e-mail or any attachments, and should destroy all copies of 
them. Macquarie Bank does not guarantee the integrity of any emails or any 
attached files. The views or opinions expressed are the author's own and may 
not reflect the views or opinions of Macquarie Bank.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER