Re: Guide(s?) to backup philosophies
<tomas@tuxteam.de> wrote:
>
> On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote:
>> <tomas@tuxteam.de> wrote:
>> >
>> > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote:
>> >> David Christensen wrote:
>> >> > On 03/17/2017 03:31 AM, Dan Purgert wrote:
>> >> >> David Christensen wrote:
>> >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote:
>> >> >>> [...]
>> >> >
>> >> > I should clarify that:
>> >> >
>> >> > "The backup server can be firewalled with no incoming ports and
>> >> > outgoing ports limited to SSH and other required ports".
>> >> >
>> >> >
>> >> > I still need to figure out the "other required outgoing ports".
>> >> > Suggestions and comments are welcome.
>> >>
>> >> Unfortunately, pretty much "all ephemeral ports", if the server is
>> >> running things that initiate connections. Some programs allow you to
>> >> specify what ports they're connecting from, but not all.
>> >
>> > That's what ESTABLISHED is for, in firewall jargon (you accept packets
>> > belonging to an established TCP connection).
>> >
>>
>> You're not gonna have any ESTABLISHED connections in your firewall if
>> you're _initiating_ the connection. ;)
>>
>> if my firewall has the following rules:
>> - default drop
>> - rule 10 accept established
>>
>> the command:
>> rsync (whatever switches) user@remote-host:/path/to/files/ /local/
>>
>> Will fail to connect to remote-host, as the rsync command is not
>> connecting across a previously established link.
>
> You're holding it wrong :)
>
> Remote-host has to allow connections (from wherever, perhaps only
> from the backup host) *to* its port 22. The ESTABLISHED is for
> rsync's "other leg".
You do realize that the thread of discussion you hopped onto was
specifically talking about if the "server box" was _initiating_
connections, right?
Of course if the server is simply responding to incoming requests,
"accept established" would let the responses back out.
--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Reply to: