On 03/23/2017 02:22 AM, Dan Purgert wrote:
David Christensen wrote:On 03/22/2017 03:35 AM, Dan Purgert wrote:David Christensen wrote:On 03/17/2017 03:31 AM, Dan Purgert wrote:David Christensen wrote:On 03/13/2017 05:38 AM, Dan Purgert wrote: [...]I should clarify that: "The backup server can be firewalled with no incoming ports and outgoing ports limited to SSH and other required ports". I still need to figure out the "other required outgoing ports". Suggestions and comments are welcome.Unfortunately, pretty much "all ephemeral ports", if the server is running things that initiate connections. Some programs allow you to specify what ports they're connecting from, but not all.I run ntpd on all my machines. So, ports 123/tcp and 123/udp need to be open for ongoing connections:Good point, that :). I was just making a comment about "other required outgoing ports" (as many things just use an ephemeral port to initiate a connection, rather than a defined port, as with ntp).
At this point, I have only implemented incoming firewalling on all of my computers. But, I do want to implement outgoing firewalling on the backup server. Figuring it out will be interesting.
[...]VPN could work, but SSH into a jumpbox works just as well. The push script checks /etc/resolv.conf for the local domain, if it's mine, then backup to the backup-server directly. If it's not mine, backup "critical files" to the jumpbox (which, in turn is backed up to the backup-server). It's quite a bit smaller than the full backups that're performed at home - just $HOME/vacation.So, you have a static IP (or dynamic DNS) for your home Internet connection, you have your home gateway configured to allow incoming SSH connections and direct them to an internal host "jumpbox", and your laptop has a backup script that detects whether the laptop is on your LAN or on the Internet. If on the LAN, the backup script exits and waits for the backup server to pull a complete backup. If on the Internet, the backup script pushes critical files over SSH to a receiving directory on "jumpbox" (?).Close enough - the script on the laptops just switches between "rsync everything to backup-server, because you're at home" and "rsync only the 'vacation' folder to jumpbox, because you're not"
So, your computers push backups to the backup server. I feel safer if the backup server pulls backups and all incoming ports are closed.
David