On 6/15/09 10:32 AM, Matt Temple wrote:
1. What do you do, if anything about the "service ports"?
I don't do anything about the service ports on the server and storage nodes. I use the
NetWorker defaults there. If you really want to lock it down, there are documents that
describe in detail how many ports are needed on the server and each storage node (it is a
calculation based on the number and type of devices attached to the system) -- and the values
used in the calculation changes with each release.
2. You don't need an opening for portmapper (111)? Is that just for
clients?
I ignore portmapper on the clients and server. EMC/NetWorker keeps claiming they've stopped
using that port -- so, I don't allow it -- and NetWorker keeps being upset by it, but
eventually times out and goes to udp 7938 like it is supposed to.
3. On my clients, I have the following entries (this works):
-m state --state NEW -m tcp -p tcp --dport 7937 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7938 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 7939 -j ACCEPT
-m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
I use nsrports on my clients to limit the service ports to 7937-7940 and have
the following rules:
-m state --state NEW -m tcp -p tcp -s <server ip>/32 --dport 7937:7940 -j ACCEPT
-m udp -p udp -s <server ip>/32 --dport 7938 -j ACCEPT
-m state --state ESTABLISHED,RELATED -j ACCEPT
As only the server will make a "NEW" connection to the client, that is the ONLY ip that needs
to access the nsrexecd ports.
4. Any idea what a storage node would need?
I use the same rules on my storage nodes that I do on the server.
Again, thanks very much. I assume you're running some version >= 7.3.
We're running 7.4.
I'm running 7.4sp4. I won't be moving to 7.5 until EMC fixes the client side problem with
nsrexecd not starting up if nsrports has been used to limit it to just the four ports it needs.
I think you are going to have to get your DMZ firewall people to allow traffic to pass between
each of the clients and the server and storage nodes. The service ports are just part of the
process. I've not done anything with the "connection ports" -- which are the ports that the
server, storage nodes, and clients open up and tell the other end to connect to -- and that
traffic is going to have to pass freely between the protected network and the DMZ or backups
will not happen.
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
To sign off this list, send email to listserv AT listserv.temple DOT edu and type
"signoff networker" in the body of the email. Please write to networker-request
AT listserv.temple DOT edu if you have any problems with this list. You can access the
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|