Re: Guide(s?) to backup philosophies
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote:
> <tomas@tuxteam.de> wrote:
> >
> > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote:
> >> David Christensen wrote:
> >> > On 03/17/2017 03:31 AM, Dan Purgert wrote:
> >> >> David Christensen wrote:
> >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote:
> >> >>> [...]
> >> >
> >> > I should clarify that:
> >> >
> >> > "The backup server can be firewalled with no incoming ports and
> >> > outgoing ports limited to SSH and other required ports".
> >> >
> >> >
> >> > I still need to figure out the "other required outgoing ports".
> >> > Suggestions and comments are welcome.
> >>
> >> Unfortunately, pretty much "all ephemeral ports", if the server is
> >> running things that initiate connections. Some programs allow you to
> >> specify what ports they're connecting from, but not all.
> >
> > That's what ESTABLISHED is for, in firewall jargon (you accept packets
> > belonging to an established TCP connection).
> >
>
> You're not gonna have any ESTABLISHED connections in your firewall if
> you're _initiating_ the connection. ;)
>
> if my firewall has the following rules:
> - default drop
> - rule 10 accept established
>
> the command:
> rsync (whatever switches) user@remote-host:/path/to/files/ /local/
>
> Will fail to connect to remote-host, as the rsync command is not
> connecting across a previously established link.
You're holding it wrong :)
Remote-host has to allow connections (from wherever, perhaps only
from the backup host) *to* its port 22. The ESTABLISHED is for
rsync's "other leg".
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAljSa/wACgkQBcgs9XrR2kbrjwCeNwPfsjE3wFnfWm/pQJGlLc+j
SwwAnAtDVJZiH34L3jLTi45dlFz8PPcK
=ue1R
-----END PGP SIGNATURE-----
Reply to: