Client behind a firewall problem

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Client behind a firewall problem

Matthias Vogt
Hi,

I want to run Bacula 1.34.4 in a produticve enviroment. Internal backups work fine but I can't setup Bacula to backup servers which are in our DMZ. I tried the steps from "Dealing with Firewalls" from the User's manual. My settings were:

 - SD and DIR run on one internal server
-  bacula-dir.conf

# internal client
Client {
  Name = basis-server-fd
  Address = basis-server.w-commerce.intern
  FDPort = 9102
  Catalog = MyCatalog
  Password = "hidden"          
  File Retention = 30 days            
  Job Retention = 6 months          
  AutoPrune = yes                    
}
# external client
Client {
  Name = dnsserver-fd
  Address = ns.w-commerce.de
  FDPort = 9102
  Catalog = MyCatalog
  Password = "hidden"        
  File Retention = 30 days            
  Job Retention = 6 months          
  AutoPrune = yes                    
}

# Definition of my Storages
Storage {
  Name = TapeStorage-external  
  Address = firewall.w-commerce.de              
  SDPort = 9103
  Password = "hidden"        
  Device = "HP-Ultrium 2"                    
  Media Type = LTO                  
}

Storage {
  Name = TapeStorage-internal    
  Address = basis-server.w-commerce.intern                
  SDPort = 9103
  Password = "hidden"        
  Device = "HP-Ultrium 2"                      
  Media Type = LTO                  
}

# Backup job for the external server
Job {
  Name = "Backup ns-server"
  Write Bootstrap = "/var/lib/bacula/ns-server-backup.bsr"
  Type = Backup
  Level = Full
  FileSet = "Full Set"
  Storage = TapeStorage-external
  Messages = Standard
  Pool = Default
  Client = dnsserver-fd
}

Evertime I run the job for the external backup the DIR tries to connect itself to the firewall, which the DIR treats as the SD! Is this behavior right? I thought the DIR first connects to the external client (dnsserver-fd) and tells which storage object the FD should use. Can anyone help me. Did I configured the DIR wrong?

Thanks


______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193



-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|

Re: Client behind a firewall problem

Arno Lehmann
Hello,

Matthias Vogt wrote:

> Hi,
>
> I want to run Bacula 1.34.4 in a produticve enviroment. Internal backups work fine but I can't setup Bacula to backup servers which are in our DMZ. I tried the steps from "Dealing with Firewalls" from the User's manual. My settings were:

You should consider using a more current version. This shouldn't do
anything to your problem now, but later (apart from bug fixes and
features) support from this list will be much better.

>  - SD and DIR run on one internal server
> -  bacula-dir.conf
>
> # internal client
> Client {
>   Name = basis-server-fd
>   Address = basis-server.w-commerce.intern
>   FDPort = 9102
>   Catalog = MyCatalog
>   Password = "hidden"          
>   File Retention = 30 days            
>   Job Retention = 6 months          
>   AutoPrune = yes                    
> }
> # external client
> Client {
>   Name = dnsserver-fd
>   Address = ns.w-commerce.de
>   FDPort = 9102
>   Catalog = MyCatalog
>   Password = "hidden"        
>   File Retention = 30 days            
>   Job Retention = 6 months          
>   AutoPrune = yes                    
> }
>
> # Definition of my Storages
> Storage {
>   Name = TapeStorage-external  
>   Address = firewall.w-commerce.de              
>   SDPort = 9103
>   Password = "hidden"        
>   Device = "HP-Ultrium 2"                    
>   Media Type = LTO                  
> }
>
> Storage {
>   Name = TapeStorage-internal    
>   Address = basis-server.w-commerce.intern                
>   SDPort = 9103
>   Password = "hidden"        
>   Device = "HP-Ultrium 2"                      
>   Media Type = LTO                  
> }
>
> # Backup job for the external server
> Job {
>   Name = "Backup ns-server"
>   Write Bootstrap = "/var/lib/bacula/ns-server-backup.bsr"
>   Type = Backup
>   Level = Full
>   FileSet = "Full Set"
>   Storage = TapeStorage-external
>   Messages = Standard
>   Pool = Default
>   Client = dnsserver-fd
> }
>
> Evertime I run the job for the external backup the DIR tries to connect itself to the firewall, which the DIR treats as the SD! Is this behavior right? I thought the DIR first connects to the external client (dnsserver-fd) and tells which storage object the FD should use. Can anyone help me. Did I configured the DIR wrong?

Erm...
Actually, I don't understand your configuration.

What is the server the DIR and SD runs on? It is quite important that
this one can be reached from both sides of your firewall - in my
opinion, setting up the necessary firewall rules is easier than working
with different host names in the internal net and the DNS one, but that
depends on your setup.

Bacula requires connections from the DIR to the SD and the FD. The DIR
tells the FD which SD to connect, so, to keep yourself sane, I prefer
using a single name space.

Unless your host basis-server.w-commerce.intern is actually the same
machine as firewall.w-commerce.de (which, guessing from the names, I
really wouldn't recommend!) your setup is broken.

Without having more information about your network, I'd suggest that you
  make sure you can reach the machine with the SD from the client under
the address given in the storage resource.

Arno

> Thanks
>
>
> ______________________________________________________________
> Verschicken Sie romantische, coole und witzige Bilder per SMS!
> Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Yahoo.
> Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
> Search APIs Find out how you can build Yahoo! directly into your own
> Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
> _______________________________________________
> Bacula-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/bacula-users

--
IT-Service Lehmann                    [hidden email]
Arno Lehmann                  http://www.its-lehmann.de


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|

Re: Client behind a firewall problem

Arno Lehmann
In reply to this post by Matthias Vogt
Hello,

you sent your mail to me only, which is nice, but probably not what you
intended. Just remember using the reply all function of your mailer, and
the sf mailinglists work better :-)

Matthias Vogt wrote:

> Hi,
>
> Thirst of all I am going to test version 1.36.0 Additionally here some more explainations on the network.
>
> DIR and SD are running internaly on basis-server.w-commerce.intern
> FDs are running on external servers in the DMZ; also there are a few internal FDs which work fine
> DNS name of the external firewall interfaces is firewall.w-commerce.de
>
> Simple network view:
> DMZ |---- | Firewall |----|internal (basis-server.w-commerce.intern)
>
> I did the proper setup of the firewall. I can connect to external FDs from internal and I can connect to DIR and SD from external (tested with telnet and bconsole respectively). Running a backup job for an external client would have the following sequence:
>
> 1. DIR connects do FD
> 2. DIR tells FD which Storage (and its address) to use
> 3. FD connects to given Storage address (in my case firewall.w-commerce.de which makes a DNAT to the internal SD (basis-server.w-commerce.intern)
> 4. Job should running.
>
> Actually the DIR tries to connect to SD firstly and I don't know why. Has anyone a solution for this problem or did anyone a similar setup which works? I have to get rid of this aweful afbackup software which my employer uses.

As far as I know the DIR tells the SD to expect the connection from the
FD and which credentials to accept.

Ok, I looked that up for you ;-)
http://www.bacula.org/rel-manual/Dealing_with_Firewalls.html

What I don't know after your mail - does bacula work for you now or does
it still cause trouble crossing the firewall?

Arno

> Many thanks
>
> Matty
>
>
>
> ______________________________________________________________
> Verschicken Sie romantische, coole und witzige Bilder per SMS!
> Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
>

--
IT-Service Lehmann                    [hidden email]
Arno Lehmann                  http://www.its-lehmann.de


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|

Re: Client behind a firewall problem

Matthias Vogt
In reply to this post by Matthias Vogt
Hi,

I solved the problem finally this way. The solution ist Bacula version independent. A backup job conversation goes like this

1. DIR tells SD to accept data from the FD
2. DIR tells FD which SD (and address) to use
3. FD starts sending data to the SD address.

In the case that your client is behind a firewall, you have to set the firewall's address in an additional storage object in bacula-dir.conf. In my case

Storage {
  Name = "TapeStorage external"    
  Address = firewall.w-commerce.de                
  SDPort = 9103
  Password = "....."          
  Device = HP-Ultrium2                      
  Media Type = LTO                
}

Next, setup up your firewall. Ensure that it does DNAT from the external firewall IP to your internal SD IP on port 9103. If you run a backup job, DIR tries to connect to SD IP, in my case firewall.w-commerce.de. At this point the backup fails because DIR can't connect to SD.

Now the trick, append an additional DNAT rule in the OUTPUT-Chain at your DIR-Server, which should do a DNAT to your SD-Server if the destination address is your firewall and the destination port 9103. In my case:

# iptables -A OUTPUT -t nat -t tcp -d firewall.w-commerce.de --dport 9103 -j DNAT --to-destination 192.168.66.150.

Now I can backup my external clients :-)

Best regards
Matty




__________________________________________________________
Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
weltweit telefonieren! http://freephone.web.de/?mc=021201



-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|

Re: Re: Client behind a firewall problem

Dan Langille
On 30 May 2005 at 15:36, Matthias Vogt wrote:

> Hi,
>
> I solved the problem finally this way. The solution ist Bacula version
> independent. A backup job conversation goes like this
>
> 1. DIR tells SD to accept data from the FD
> 2. DIR tells FD which SD (and address) to use
> 3. FD starts sending data to the SD address.
>
> In the case that your client is behind a firewall, you have to set the
> firewall's address in an additional storage object in bacula-dir.conf.
> In my case
>
> Storage {
>   Name = "TapeStorage external"    
>   Address = firewall.w-commerce.de                
>   SDPort = 9103
>   Password = "....."          
>   Device = HP-Ultrium2                      
>   Media Type = LTO                
> }
>
> Next, setup up your firewall. Ensure that it does DNAT from the
> external firewall IP to your internal SD IP on port 9103. If you run a
> backup job, DIR tries to connect to SD IP, in my case
> firewall.w-commerce.de. At this point the backup fails because DIR
> can't connect to SD.
>
> Now the trick, append an additional DNAT rule in the OUTPUT-Chain at
> your DIR-Server, which should do a DNAT to your SD-Server if the
> destination address is your firewall and the destination port 9103. In
> my case:
>
> # iptables -A OUTPUT -t nat -t tcp -d firewall.w-commerce.de --dport
> # 9103 -j DNAT --to-destination 192.168.66.150.
>
> Now I can backup my external clients :-)

I've been doing this a slightly different way.

I create two SD resources.  One for the internal IP address
(10.0.0.*) and one for the external IP address (i.e. my gateway).  
Remote (external) clients use the latter address. Local clients use
the 10.0.0.* address.

This URL shows a bit more:
http://article.gmane.org/gmane.comp.sysutils.backup.bacula.general/251
3
--
Dan Langille : http://www.langille.org/
BSDCan - The Technical BSD Conference - http://www.bsdcan.org/




-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users