-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote: > <to...@tuxteam.de> wrote: > > > > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote: > >> David Christensen wrote: > >> > On 03/17/2017 03:31 AM, Dan Purgert wrote: > >> >> David Christensen wrote: > >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote: > >> >>> [...] > >> > > >> > I should clarify that: > >> > > >> > "The backup server can be firewalled with no incoming ports and > >> > outgoing ports limited to SSH and other required ports". > >> > > >> > > >> > I still need to figure out the "other required outgoing ports". > >> > Suggestions and comments are welcome. > >> > >> Unfortunately, pretty much "all ephemeral ports", if the server is > >> running things that initiate connections. Some programs allow you to > >> specify what ports they're connecting from, but not all. > > > > That's what ESTABLISHED is for, in firewall jargon (you accept packets > > belonging to an established TCP connection). > > > > You're not gonna have any ESTABLISHED connections in your firewall if > you're _initiating_ the connection. ;) > > if my firewall has the following rules: > - default drop > - rule 10 accept established > > the command: > rsync (whatever switches) user@remote-host:/path/to/files/ /local/ > > Will fail to connect to remote-host, as the rsync command is not > connecting across a previously established link.
You're holding it wrong :) Remote-host has to allow connections (from wherever, perhaps only from the backup host) *to* its port 22. The ESTABLISHED is for rsync's "other leg". - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAljSa/wACgkQBcgs9XrR2kbrjwCeNwPfsjE3wFnfWm/pQJGlLc+j SwwAnAtDVJZiH34L3jLTi45dlFz8PPcK =ue1R -----END PGP SIGNATURE-----
