|
[Veritas-bu] Backup through firewalls
2006-09-15 10:29:04
|
Subject: |
[Veritas-bu] Backup through firewalls |
|
From: |
jlightner at water.com (Jeff Lightner) |
|
Date: |
Fri, 15 Sep 2006 10:29:04 -0400 |
This is on RHEL 4:
To add permission to iptables on client:
Verify iptables is running with iptables .L and that its last entry is to
block icmp. (If not running iptables .L will only show about 3 lines.)
1) iptables -D RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
### Deletes the icmp rule
2) iptables -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport bpcd
-j ACCEPT --src <master server IP ADDR>
### Opens bpcd port for master server.
3) iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
### Readds the icmp rule as last rule.
4) iptables-save >/etc/sysconfig/iptables
### Saves to file read on iptables start.
Step 2 above assumes 13782 for bpcd tcp is in /etc/services already. Step 4
is necessary so after a reboot or bounce of iptables it will reestablish the
rules.
-----Original Message-----
From: Allen, Jimmy [mailto:jballen at firstam.com]
Sent: Friday, September 15, 2006 9:53 AM
To: Jeff Lightner; veritas-bu at mailman.eng.auburn.edu
Subject: RE: [Veritas-bu] Backup through firewalls
Please post the iptables information. We are adding Linux to our environment
and that information would help.
Thanks
-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu [mailto:veritas-bu-bounces
at mailman.eng.auburn.edu] On Behalf Of Jeff Lightner
Sent: Friday, September 15, 2006 7:47 AM
To: veritas-bu at mailman.eng.auburn.edu
Subject: Re: [Veritas-bu] Backup through firewalls
Step by step notes I wrote when I did this:
FYI the following is what I did in NetBackup for backing up client in the
firewall.
Open Netbackup Java GUI
Go to Host Properties
Go to Master Servers
Double click on the master server.
In Master Server Properties box go to Client Attributes
Click Add
Type in name of client(s) and hit enter to add to list.
Select (highlight) the client(s) from list
Under BPCD Connect Back click the VNETD Port radio button
Click OK.
Exit and you're done with the GUI.
After that at command line on the master server run
"bprdreq -rereadconfig".
(Note - this worked but manual and Datalink indicated
bouncing daemons is the only SURE way to do it.
Datalink said it works "sometimes".)
Also for above to you must open the following ports on the firewall:
Media >> Client
13782 (bpcd)
Client >> Media
13724 (vnetd)
Media being the media server (which is the master server in our case).
We also did this recently on some Linux clients on firewall so I have notes on
iptables config if you need that.
-----Original Message-----
From: veritas-bu-bounces at mailman.eng.auburn.edu [mailto:veritas-bu-bounces
at mailman.eng.auburn.edu] On Behalf Of smpt
Sent: Friday, September 15, 2006 1:06 AM
To: David Rock;
Subject: Re: [Veritas-bu] Backup through firewalls
Hi,
I've configured some firewaled NetBackup domains with vnetd and I never had any
problem with streams.
I have ages to hear from someone the port model. I had proposed this to some of
my customers and when the firewall admin understood how many ports needed they
refused it immediately.
> -------Original Message-------
> From: David Rock <dave-bu at graniteweb.com>
> Subject: Re: [Veritas-bu] Backup through firewalls
> Sent: 14 Sep '06 23:06
>
> * Mark.Donaldson at cexp.com <Mark.Donaldson at cexp.com> [2006-09-14 13:48]:
> > There's a whole section on this in the SAG.
> >
> > Shortanswer, you need "bpcd" from the master or media server to the
> > client, "vnetd" the reverse direction.??You have to make sure you >
> configure the client for "no callback connections" via the bpclient >
> command or, no doubt, someplace in the GUI.
> >
> > Users on the client cannot perform their own restores using this.??
> I'm > told, but have not verified, that you can enable "bprd" from
> client to > master to allow this.
>
> Speaking as a backup guy who is now on the firewall team, using vnetd
> is by far the recommended way of dealing with the firewall.??If all
> you are dealing with is backup servers to client machine, the short list is:
>
> Server -> Client?? port 13782 (bpcd)
> Client -> Server?? ports 13724 (vnetd) and 13720 (bprd)
>
> Yes client initiated restores will work with just these ports.??If
> your backup servers are hanging off of a DMZ so that your admin
> clients using the Java GUI need to get access, you can also use:
>
> Admin Client -> Server ports 13722 (bpjava) and 13724 (vnetd)
>
> This will also require the /usr/openv/java/nbj.conf file setting of
> NBJAVA_CONNECT_OPTION=1 (default is 0)
>
> The only downside to vnetd that I have heard of but not seen
> personally is that you are limited to a single stream for backups,
> which could impact your backup model if you are trying to use
> NEW_STREAM file directives.??If that is the case, you can configure
> port ranges and I highly recommend using ALLOW_NON_RESERVED_PORTS as
> part of that.??Using low ports (<1024) by default is one of the stupidest
> things NBU ever did.
>
> --
> David Rock
> david at graniteweb.com
> _______________________________________________
> Veritas-bu maillist??-??Veritas-bu at mailman.eng.auburn.edu
> http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
_______________________________________________
Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
_______________________________________________
Veritas-bu maillist - Veritas-bu at mailman.eng.auburn.edu
http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
|
|
|
