<to...@tuxteam.de> wrote: > > On Wed, Mar 22, 2017 at 11:57:44AM -0000, Dan Purgert wrote: >> <to...@tuxteam.de> wrote: >> > >> > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote: >> >> David Christensen wrote: >> >> > On 03/17/2017 03:31 AM, Dan Purgert wrote: >> >> >> David Christensen wrote: >> >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote: >> >> >>> [...] >> >> > >> >> > I should clarify that: >> >> > >> >> > "The backup server can be firewalled with no incoming ports and >> >> > outgoing ports limited to SSH and other required ports". >> >> > >> >> > >> >> > I still need to figure out the "other required outgoing ports". >> >> > Suggestions and comments are welcome. >> >> >> >> Unfortunately, pretty much "all ephemeral ports", if the server is >> >> running things that initiate connections. Some programs allow you to >> >> specify what ports they're connecting from, but not all. >> > >> > That's what ESTABLISHED is for, in firewall jargon (you accept packets >> > belonging to an established TCP connection). >> > >> >> You're not gonna have any ESTABLISHED connections in your firewall if >> you're _initiating_ the connection. ;) >> >> if my firewall has the following rules: >> - default drop >> - rule 10 accept established >> >> the command: >> rsync (whatever switches) user@remote-host:/path/to/files/ /local/ >> >> Will fail to connect to remote-host, as the rsync command is not >> connecting across a previously established link. > > You're holding it wrong :) > > Remote-host has to allow connections (from wherever, perhaps only > from the backup host) *to* its port 22. The ESTABLISHED is for > rsync's "other leg".
You do realize that the thread of discussion you hopped onto was specifically talking about if the "server box" was _initiating_ connections, right? Of course if the server is simply responding to incoming requests, "accept established" would let the responses back out. -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
