Re: Guide(s?) to backup philosophies

To: debian-user@lists.debian.org
Subject: Re: Guide(s?) to backup philosophies
From: Dan Purgert <dan@djph.net>
Date: Thu, 23 Mar 2017 09:14:47 -0000 (UTC)
Message-id: <[🔎] slrnod74lh.1o1.dan@xps-linux.djph.net>
References: <[🔎] ef34df2b-20d7-e2ed-f9a4-875cc09c9b68@cloud85.net> <[🔎] 1da38dbd-57cc-816a-b108-9b1a54159701@holgerdanske.com> <[🔎] slrnocd4r9.8pl.dan@xps-linux.djph.net> <[🔎] b996cffe-6f59-38df-8aa4-35e62a92c150@holgerdanske.com> <[🔎] slrnocneu7.r9b.dan@xps-linux.djph.net> <[🔎] 9cdbe1f7-6137-ebf7-c844-3873f09bdb3c@holgerdanske.com> <[🔎] slrnod4l0b.1o1.dan@xps-linux.djph.net> <[🔎] 20170322104533.GB10766@tuxteam.de> <[🔎] slrnod4pr3.1o1.dan@xps-linux.djph.net> <[🔎] 20170322122012.GA14156@tuxteam.de>

<tomas@tuxteam.de> wrote:
>
> On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote:
>> <tomas@tuxteam.de> wrote:
>> >
>> > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote:
>> >> David Christensen wrote:
>> >> > On 03/17/2017 03:31 AM, Dan Purgert wrote:
>> >> >> David Christensen wrote:
>> >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote:
>> >> >>> [...]
>> >> >
>> >> > I should clarify that:
>> >> >
>> >> >      "The backup server can be firewalled with no incoming ports and
>> >> >      outgoing ports limited to SSH and other required ports".
>> >> >
>> >> >
>> >> > I still need to figure out the "other required outgoing ports". 
>> >> > Suggestions and comments are welcome.
>> >> 
>> >> Unfortunately, pretty much "all ephemeral ports", if the server is
>> >> running things that initiate connections.  Some programs allow you to
>> >> specify what ports they're connecting from, but not all.
>> >
>> > That's what ESTABLISHED is for, in firewall jargon (you accept packets
>> > belonging to an established TCP connection).
>> >
>> 
>> You're not gonna have any ESTABLISHED connections in your firewall if
>> you're _initiating_ the connection. ;)
>> 
>> if my firewall has the following rules:
>>  - default drop
>>  - rule 10 accept established
>> 
>> the command:
>> rsync (whatever switches) user@remote-host:/path/to/files/ /local/
>> 
>> Will fail to connect to remote-host, as the rsync command is not
>> connecting across a previously established link. 
>
> You're holding it wrong :)
>
> Remote-host has to allow connections (from wherever, perhaps only
> from the backup host) *to* its port 22. The ESTABLISHED is for
> rsync's "other leg".

You do realize that the thread of discussion you hopped onto was
specifically talking about if the "server box" was _initiating_
connections, right?

Of course if the server is simply responding to incoming requests,
"accept established" would let the responses back out.


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to:

Follow-Ups:
- Re: Guide(s?) to backup philosophies
  - From: <tomas@tuxteam.de>

References:
- Guide(s?) to backup philosophies
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: <tomas@tuxteam.de>
- Re: Guide(s?) to backup philosophies
  - From: Dan Purgert <dan@djph.net>
- Re: Guide(s?) to backup philosophies
  - From: <tomas@tuxteam.de>

Prev by Date: Re: Unattended upgrades. Debian methods, please, not Ubuntu.
Next by Date: Re: Guide(s?) to backup philosophies
Previous by thread: Re: Guide(s?) to backup philosophies
Next by thread: Re: Guide(s?) to backup philosophies
Index(es):
- Date
- Thread