Re: Guide(s?) to backup philosophies

To: debian-user@lists.debian.org
Subject: Re: Guide(s?) to backup philosophies
From: <tomas@tuxteam.de>
Date: Wed, 22 Mar 2017 13:20:12 +0100
Message-id: <[🔎] 20170322122012.GA14156@tuxteam.de>
In-reply-to: <[🔎] slrnod4pr3.1o1.dan@xps-linux.djph.net>
References: <[🔎] ef34df2b-20d7-e2ed-f9a4-875cc09c9b68@cloud85.net> <[🔎] 1da38dbd-57cc-816a-b108-9b1a54159701@holgerdanske.com> <[🔎] slrnocd4r9.8pl.dan@xps-linux.djph.net> <[🔎] b996cffe-6f59-38df-8aa4-35e62a92c150@holgerdanske.com> <[🔎] slrnocneu7.r9b.dan@xps-linux.djph.net> <[🔎] 9cdbe1f7-6137-ebf7-c844-3873f09bdb3c@holgerdanske.com> <[🔎] slrnod4l0b.1o1.dan@xps-linux.djph.net> <[🔎] 20170322104533.GB10766@tuxteam.de> <[🔎] slrnod4pr3.1o1.dan@xps-linux.djph.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote:
> <tomas@tuxteam.de> wrote:
> >
> > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote:
> >> David Christensen wrote:
> >> > On 03/17/2017 03:31 AM, Dan Purgert wrote:
> >> >> David Christensen wrote:
> >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote:
> >> >>> [...]
> >> >
> >> > I should clarify that:
> >> >
> >> >      "The backup server can be firewalled with no incoming ports and
> >> >      outgoing ports limited to SSH and other required ports".
> >> >
> >> >
> >> > I still need to figure out the "other required outgoing ports". 
> >> > Suggestions and comments are welcome.
> >> 
> >> Unfortunately, pretty much "all ephemeral ports", if the server is
> >> running things that initiate connections.  Some programs allow you to
> >> specify what ports they're connecting from, but not all.
> >
> > That's what ESTABLISHED is for, in firewall jargon (you accept packets
> > belonging to an established TCP connection).
> >
> 
> You're not gonna have any ESTABLISHED connections in your firewall if
> you're _initiating_ the connection. ;)
> 
> if my firewall has the following rules:
>  - default drop
>  - rule 10 accept established
> 
> the command:
> rsync (whatever switches) user@remote-host:/path/to/files/ /local/
> 
> Will fail to connect to remote-host, as the rsync command is not
> connecting across a previously established link. 

You're holding it wrong :)

Remote-host has to allow connections (from wherever, perhaps only
from the backup host) *to* its port 22. The ESTABLISHED is for
rsync's "other leg".

- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAljSa/wACgkQBcgs9XrR2kbrjwCeNwPfsjE3wFnfWm/pQJGlLc+j
SwwAnAtDVJZiH34L3jLTi45dlFz8PPcK
=ue1R
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>

References:
- Guide(s?) to backup philosophies
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: <tomas@tuxteam.de>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>

Prev by Date: Re: installer defaults for desktops (was Re: Suggested edit)
Next by Date: Re: installer defaults for desktops (was Re: Suggested edit)
Previous by thread: Re: Guide(s?) to backup philosophies
Next by thread: Re: Guide(s?) to backup philosophies
Index(es):
- Date
- Thread