-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Andrew,
On Wed, 6 May 2020, Andrew Leer wrote:
I'm setting up an OpenWrt router with separate subnets for:
- WAN
- DMZ
- Admin Access LAN
- Kids LAN
- Backup / BareOS LAN
I have systems on each of these subnets that I would like to back up with my
BareOS-dir.
Any idea how the Input, Output and Forward rules ought to be setup between
subnets?
You only need to care about FORWARD - except if you want to backup your
router itself, too - then you'll need to allow INPUT from the director and
OUTPUT to the storage-daemon.
I'm confused because as far as I know the BareOS-fd contacts the director to
initiate the backup and not the other way around.
No, the bareos-dir connects to the bareos-fd to initiate the backup, but
the bareos-fd connects to the bareos-sd to actually store the data. I
*think*, the bareos-dir needs access to the bareos-sd, too (to query the
status, for example) - which is no issue, as they are on the same subnet,
also you may want to backup the director itself, too, so you'll need to
pass this trafic anyways.
I asked about it here, and they told me I should have access control
(firewall rules) that limit what each machine on a subnet can / can't
communicate with the dir / sd.
My BareOS setup isn't very custom, so using the default ports what needs to
communicate which way so the firewall rules are setup correctly?
9102 is the (server-side) port used by the director to connect to the
filedaemon
9103 is the (server-side) port used by the filedaemon to connect to the
storage daemon
If I understand your setup correctly, you need to route the following:
- --dport 9103 -d $bareos_sd_ip
- --dport 9102 -s $bareos_dir_ip
You could restrict the source/destination ip/netmask/interface
additionally, if you like tighter rules (e.g. to disallow backups to run
on *any* machine in these subnets).
Thank you,
Andrew J. Leer
BareOS Backup Presentation at the CPLUG
HTH,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6yyXoACgkQCu7JB1Xa
e1qfWw//ZNR92f7XJaFkWhhvmemM23lW7Gu/ahhLwGG3pq7putrOR8IQ2ClpVPqf
9/Bz5EvyMIfQXWfdeb88af5UnEAk+5yqYOLhVN/36byypM8VlbdgOYGCth6elTy8
TKeF3OTQ6zDfWSGllvzQTkpNR0LnqtUk0PID2KnrGB+1PYEls0JlPaH9fXgSc4xF
RK7Y9rUhgCOfU+uPvdp5uEpNkq5tMmaJ9JbU0swQahB0gUvYhqFxNnZVMxQRVrww
p/ywnWtBSVkEvkawUUJM5gSFJraeVCipGrPk0xslkihnNzBBkl2aVuME4ehk4QtU
a8MGlcUqxkmNcZ16efTSbeW1CZD9yJ23aRDgLagJLLqB5A3TXYEX9AFfoqjkLWfA
/mtc1IDVlgPQY40LkyFGru8b5igX7vzklX+8GrKD16WOdS/v50aUTiboDAmGsG1z
OfmIkyX2iXUWKZflICQgXr/66B8+Vprq4TBGFMK2jrrY9XjuBzNV108OIMxMjcjZ
65s4Q662De9x/0heXe5wbEKMzoZtXgQMgAgw6LQ6Dtl1xNLzUCqA5vNNYg9USWtb
FEtCF/rpMGljN5F4qB3bBA6yiovjEBu0Am79bLlF7+0Foyi6xjc3UwlqvWCxrNqy
pbH8GCr1kqGuQLcfectn/whNocCb+LZSw67qI3slqR96RJlasC4=
=StJ5
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"bareos-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/bareos-users/alpine.LNX.2.22.419.2005061618560.10143%40desk.ddns.eckner.net.
