-%%
-%%
-
\chapter{Dealing with Firewalls}
\label{FirewallsChapter}
\index[general]{Dealing with Firewalls }
If you have a firewall or a DMZ installed on your computer, you may experience
difficulties contacting one or more of the Clients to back them up. This is
-especially true if you are trying to backup a Client across the Internet.
+especially true if you are trying to backup a Client across the Internet.
\section{Technical Details}
\index[general]{Technical Details }
\index[general]{Details!Technical }
If you are attempting to do this, the sequence of network events in Bacula to
-do a backup are the following:
+do a backup are the following:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
Console -> DIR:9101
DIR -> SD:9103
DIR -> FD:9102
FD -> SD:9103
-\end{verbatim}
-\normalsize
+\end{lstlisting}
+
Where hopefully it is obvious that DIR represents the Director, FD the File
daemon or client, and SD the Storage daemon. The numbers that follow those
names are the standard ports used by Bacula, and the \verb:->: represents the
left side making a connection to the right side (i.e. the right side is the
"server" or is listening on the specified port), and the left side is the
-"client" that initiates the conversation.
+"client" that initiates the conversation.
Note, port 9103 serves both the Director and the File daemon, each having its
-own independent connection.
+own independent connection.
-If you are running {\bf iptables}, you might add something like:
+If you are running {\bf iptables}, you might add something like:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
-A FW-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9101:9103 -j ACCEPT
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-on your server, and
+on your server, and
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
-A FW-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9102 -j ACCEPT
-\end{verbatim}
-\normalsize
+\end{lstlisting}
on your client. In both cases, I assume that the machine is allowed to
initiate connections on any port. If not, you will need to allow outgoing
connections on ports 9102 and 9103 on your server and 9103 on your client.
-Thanks to Raymond Norton for this tip.
+Thanks to Raymond Norton for this tip.
\section{A Concrete Example}
\index[general]{Example!Concrete }
network because it connects to the internet through a NAT'd firewall. We will
call the network on the public (internet) side of the NAT'd firewall the
'external' network. Also, for the sake of discussion we will call my bacula
-server:
+server:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
server.int.mydomain.tld
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-when a fully qualified domain name is required, or simply:
+when a fully qualified domain name is required, or simply:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
server
-\end{verbatim}
-\normalsize
+\end{lstlisting}
if a hostname is adequate. We will call the various bacula daemons running on
-the server.int.mydomain.tld machine:
+the server.int.mydomain.tld machine:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
server-fd
server-sd
server-dir
-\end{verbatim}
-\normalsize
+\end{lstlisting}
In addition, I have two clients that I want to back up with Bacula. The first
-client is on the internal network. Its fully qualified domain name is:
+client is on the internal network. Its fully qualified domain name is:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
private1.int.mydomain.tld
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-And its hostname is:
+And its hostname is:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
private1
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-This machine is a client and therefore runs just one bacula daemon:
+This machine is a client and therefore runs just one bacula daemon:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
private1-fd
-\end{verbatim}
-\normalsize
+\end{lstlisting}
The second client is on the external network. Its fully qualified domain name
-is:
+is:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
public1.mydomain.tld
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-And its hostname is:
+And its hostname is:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
public1
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-This machine also runs just one bacula daemon:
+This machine also runs just one bacula daemon:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
public1-fd
-\end{verbatim}
-\normalsize
+\end{lstlisting}
Finally, I have a NAT firewall/gateway with two network interfaces. The first
interface is on the internal network and serves as a gateway to the internet
for all the machines attached to the internal network (For example,
server.int.mydomain.tld and private1.int.mydomain.tld). The second interface
is on the external (internet) network. The external interface has been
-assigned the name:
+assigned the name:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
firewall.mydomain.tld
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-Remember:
+Remember:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
*.int.mydomain.tld = internal network
*.mydomain.tld = external network
-\end{verbatim}
-\normalsize
+\end{lstlisting}
\subsection{The Bacula Configuration Files for the Above}
\index[general]{Above!Bacula Configuration Files for the }
\index[general]{Bacula Configuration Files for the Above }
server-sd manages a 4 tape AIT autoloader. All of my backups are written to
-server-sd. I have just *one* Device resource in my server-sd.conf file:
+server-sd. I have just *one* Device resource in my server-sd.conf file:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
Autochanger {
Name = "autochanger1";\
Device = Drive0
Fast Forward Space File = No
BSF at EOM = yes
}
-\end{verbatim}
-\normalsize
+\end{lstlisting}
-(note, please see
+(note, please see
\ilink{the Tape Testing}{FreeBSDTapes} chapter of this manual
for important FreeBSD information.) However, unlike previously, there
-is only one Storage definition in my server-dir.conf file:
+is only one Storage definition in my server-dir.conf file:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
Storage {
Name = "autochanger1" # Storage device for backing up
Address = Storage-server
Media Type = AIT-1
Autochanger = yes
}
-\end{verbatim}
-\normalsize
+\end{lstlisting}
Note that the Storage resource uses neither of the two addresses to
the Storage daemon -- neither server.int.mydomain.tld nor
In addition to the above, I have two Client resources defined in
-server-dir.conf:
+server-dir.conf:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
Client {
Name = private1-fd
Address = private1.int.mydomain.tld
Catalog = MyCatalog
Password = "mysecretpassword" # password for FileDaemon
}
-\end{verbatim}
-\normalsize
+\end{lstlisting}
And finally, to tie it all together, I have two Job resources defined in
-server-dir.conf:
+server-dir.conf:
-\footnotesize
-\begin{verbatim}
+\begin{lstlisting}
Job {
Name = "Private1-Backup"
Type = Backup
Write Bootstrap = "/var/db/bacula/Public1-Backup.bsr"
Priority = 13
}
-\end{verbatim}
-\normalsize
+\end{lstlisting}
It is important to notice that because the 'Private1-Backup' Job is intended
to back up a machine on the internal network so it resolves Storage-server
I have left the Pool, Catalog, Messages, FileSet, Schedule, and Director
resources out of the above server-dir.conf examples because they are not
-pertinent to the discussion.
+pertinent to the discussion.
\subsection{How Does It Work?}
\index[general]{How Does It Work? }
\index[general]{Work!How Does It }
If I want to run a backup of private1.int.mydomain.tld and store that backup
-using server-sd then my understanding of the order of events is this:
+using server-sd then my understanding of the order of events is this:
\begin{enumerate}
-\item I execute my Bacula 'console' command on server.int.mydomain.tld.
-\item console connects to server-dir.
-\item I tell console to 'run' backup Job 'Private1-Backup'.
-\item console relays this command to server-dir.
-\item server-dir connects to private1-fd at private1.int.mydomain.tld:9102
+\item I execute my Bacula 'console' command on server.int.mydomain.tld.
+\item console connects to server-dir.
+\item I tell console to 'run' backup Job 'Private1-Backup'.
+\item console relays this command to server-dir.
+\item server-dir connects to private1-fd at private1.int.mydomain.tld:9102
\item server-dir tells private1-fd to start sending the files defined in the
- 'Private1-Backup' Job's FileSet resource to the Storage resource
- 'autochanger1', which we have defined in server-dir.conf as having the
+ 'Private1-Backup' Job's FileSet resource to the Storage resource
+ 'autochanger1', which we have defined in server-dir.conf as having the
address:port of Storage-server, which is mapped by DNS to server.int.mydomain.tld.
-\item private1-fd connects to server.int.mydomain.tld:9103 and begins sending
- files.
+\item private1-fd connects to server.int.mydomain.tld:9103 and begins sending
+ files.
\end{enumerate}
Alternatively, if I want to run a backup of public1.mydomain.tld and store
that backup using server-sd then my understanding of the order of events is
-this:
+this:
\begin{enumerate}
-\item I execute my Bacula 'console' command on server.int.mydomain.tld.
-\item console connects to server-dir.
-\item I tell console to 'run' backup Job 'Public1-Backup'.
-\item console relays this command to server-dir.
-\item server-dir connects, through the NAT'd firewall, to public1-fd at
- public1.mydomain.tld:9102
+\item I execute my Bacula 'console' command on server.int.mydomain.tld.
+\item console connects to server-dir.
+\item I tell console to 'run' backup Job 'Public1-Backup'.
+\item console relays this command to server-dir.
+\item server-dir connects, through the NAT'd firewall, to public1-fd at
+ public1.mydomain.tld:9102
\item server-dir tells public1-fd to start sending the files defined in the
- 'Public1-Backup' Job's FileSet resource to the Storage resource
- 'autochanger1', which we have defined in server-dir.conf as having the
+ 'Public1-Backup' Job's FileSet resource to the Storage resource
+ 'autochanger1', which we have defined in server-dir.conf as having the
same address:port as above of Storage-server, but which on this machine
- is resolved to firewall.mydomain.tld:9103.
-\item public1-fd connects to firewall.mydomain.tld:9103 and begins sending
- files.
+ is resolved to firewall.mydomain.tld:9103.
+\item public1-fd connects to firewall.mydomain.tld:9103 and begins sending
+ files.
\end{enumerate}
\subsection{Important Note}
In order for the above 'Public1-Backup' Job to succeed,
firewall.mydomain.tld:9103 MUST be forwarded using the firewall's
configuration software to server.int.mydomain.tld:9103. Some firewalls call
-this 'Server Publication'. Others may call it 'Port Forwarding'.
+this 'Server Publication'. Others may call it 'Port Forwarding'.
\subsection{Firewall Problems}
\index[general]{Firewall Problems}
and set an interval of say five minutes.
Also, if you have denial of service rate limiting in your firewall, this
-too can cause Bacula disconnects since Bacula can at times use very high
+too can cause Bacula disconnects since Bacula can at times use very high
access rates. To avoid this, you should implement default accept
rules for the Bacula ports involved before the rate limiting rules.
Finally, if you have a Windows machine, it will most likely by default
-disallow connections to the Bacula Windows File daemon. See the
+disallow connections to the Bacula Windows File daemon. See the
Windows chapter of this manual for additional details.
projects / bacula / docs / blobdiff