Veritas-bu
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Veritas-bu] Firewall Ports - Which ones?

2003-04-30 16:44:23
Subject: [Veritas-bu] Firewall Ports - Which ones?
From: dlbewley AT libpo.ucdavis DOT edu (Dale Bewley)
Date: 30 Apr 2003 13:44:23 -0700 
I'm currently working on packet filters on my Sol9 NBDC 4.5 server and
with the help of http://seer.support.veritas.com/docs/251630.htm
It is working, but I still have some issues.

With no filter on the client and this filter on the server...

        block in log body on eri0 all head 100
        block out log body on eri0 all head 150
        pass in quick proto tcp from x.x.x.0/24  to any port = 13724 keep state 
group 100
        pass in quick proto tcp from x.x.x.0/24  to any port = 13720 keep state 
group 100
        pass out quick proto tcp from any to any port = 13782 keep state group 
150
        pass out quick proto tcp from any to any port = 13783 keep state group 
150
        
...I initiated a successful backup from the server jnbsa without
problems, then on the NT client I initated a restore. While it did work
3 times, each time I got a random port 512-1023 on the client trying to
connect to a random port 512-1023 on the server. Can anyone explain what
that traffic is? Shouldn't vnetd eliminate the use of these ports? It's
apparently not "vital" since the restore was successful.

I see that I can change the range of ports using
http://seer.support.veritas.com/docs/237796.htm
but are are the SERVER_RESERVED_PORT_WINDOW ports even necessary if
using vnetd?




On Wed, 2003-04-30 at 08:57, Brian Blake wrote:
> Coupla good tech notes:
> 
> Firewalls between master and media servers: 251631
> Firewalls between master/media and clients: 237796
> 
> Also, if you haven't been out to support.veritas.com recently, check it
> out... We've recently redesigned the web site, and the search engine is much
> better IMHO.
> 
> B-
> 
> On 4/30/03 11:09 AM, "Chris Costa" <chris.costa AT veritas DOT com> wrote:
> 
> > What you can try is to open vnetd (13724) from the Master to the Media
> > Server.  Also open up the bpcd (13782) from Media Server to Master Server.
> > 
> > After that you need to go the Master Server Properties and go to the
> > firewall section. Enter the hostname of the Media Server and select the "No
> > Call Back" option.
> > You will need to stop and start services afterwards.
> > 
> > This works for us at the site that I am on.
> > 
> > Christopher C. Costa
> > 
> > 
> > -----Original Message-----
> > From:     Jeremy Taylor [mailto:jtaylor AT ithaca DOT edu]
> > Sent:    Wednesday, April 30, 2003 10:34 AM
> > To:    Tina Likens2
> > Cc:    veritas-bu AT mailman.eng.auburn DOT edu
> > Subject:    Re: [Veritas-bu] Firewall Ports - Which ones?
> > 
> > Hi Tina,
> > 
> > I am currently dealing with a very similar situation and am quickly
> > getting confused and overwhelmed too, NB uses so many ports!  I have not
> > configured much yet (except an attempt at using vnetd - more below) so
> > it's all in the theory stage still.  The NB 4.5 docs have quite an
> > extensive description of ports, network communication, and firewall
> > configuration but it sounds like they may not be all that helpful.  You
> > may want to check out the option of using vnetd which does all the port
> > translation at the system level and therefore only requires one port
> > (13724) opened up on a firewall.  **However this option did not work for
> > me because our firewall incorporates NAT which will not work for vnetd.
> > Unfortunately I had to find that out after tons of testing and
> > document reading...ahh!
> > 
> > Anyway I know I didn't give you much help but I will share info as I get
> > it and keep an eye out on this list...
> > -jeremy
> > 
> > Tina Likens2 wrote:
> >> We have configuration of
> >> 
> >> *Unix Master Server (Solaris 8)
> >>  Behind a Firewall
> >> 
> >> *3 Media Servers (Windows)
> >> 
> >> *Running NetBackup 4.5 FP 3
> >> 
> >> We cannot seem to get a good answer as to exactly which ports need to be
> >> opened in the Firewall to communicate between the Master and the Media
> >> Servers. 
> >> 
> >> Anybody that can give any ideas, we would be extremely grateful. Been
> >> working on this for months and can't seem to get it all together yet.
> >> 
> >> 
> >> Thanks in Advance.
> >> _______________________________________________
> >> Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> >> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> > 
> > _______________________________________________
> > Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> > _______________________________________________
> > Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
> > http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
> > 
-- 
Dale Bewley - Unix Administrator - Shields Library - UC Davis
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Veritas-bu] NB_JAV_45_3, David A. Chapa
Next by Date:  [Veritas-bu] NetBackup Assistant, Jatin Patel
Previous by Thread:  [Veritas-bu] Firewall Ports - Which ones?, Brian Blake
Next by Thread:  [Veritas-bu] RE: certification and knowledge., Prasad, Rajeev, NPONS
Indexes:  [Date] [Thread] [Top] [All Lists]