Safe OpenWrt / ipTables Firewall Setup for BareOS backup subnet?
19 views
Skip to first unread message
Andrew Leer
May 6, 2020, 10:09:16 AM5/6/20
to bareos-users
I'm setting up an OpenWrt router with separate subnets for:
- WAN
- DMZ
- Admin Access LAN
- Kids LAN
- Backup / BareOS LAN
I have systems on each of these subnets that I would like to back up with my BareOS-dir.
Any idea how the Input, Output and Forward rules ought to be setup between subnets?
I'm confused because as far as I know the BareOS-fd contacts the director to initiate the backup and not the other way around.
I'm confused because as far as I know the BareOS-fd contacts the director to initiate the backup and not the other way around.
I asked about it here, and they told me I should have access control (firewall rules) that limit what each machine on a subnet can / can't communicate with the dir / sd.
My BareOS setup isn't very custom, so using the default ports what needs to communicate which way so the firewall rules are setup correctly?
Thank you,
Andrew J. Leer
Andreas Haase
May 6, 2020, 10:18:54 AM5/6/20
to Andrew Leer, bareos-users
Hello,
Am 06.05.2020 um 16:09 schrieb Andrew Leer <leea...@gmail.com>:I have systems on each of these subnets that I would like to back up with my BareOS-dir.Any idea how the Input, Output and Forward rules ought to be setup between subnets?
directions of communications can be changed in some ways by changing the clients configuration. Normal flow is, that director connects the file daemon to tell, what to save and to which destination. File daemon then connects the destination and processes the backup.
Other possibilities are passive client, where all connections are opened by the director and storage daemon to the file daemon or client initiated connections, which does what the name says.
Which concept is the right one for you depends on your planned network and the involved security level of the zones and where you place your backup server. If your backup server resides in the most secure zone, it isn’t a good idea to configure a client in the internet as opening the connections client initiated.
Cheers,
Andreas
Erich Eckner
May 6, 2020, 10:28:48 AM5/6/20
to Andrew Leer, bareos-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Andrew,
On Wed, 6 May 2020, Andrew Leer wrote:
> I'm setting up an OpenWrt router with separate subnets for:
>
> - WAN
> - DMZ
> - Admin Access LAN
> - Kids LAN
> - Backup / BareOS LAN
>
> I have systems on each of these subnets that I would like to back up with my
> BareOS-dir.
>
> Any idea how the Input, Output and Forward rules ought to be setup between
> subnets?
You only need to care about FORWARD - except if you want to backup your
router itself, too - then you'll need to allow INPUT from the director and
OUTPUT to the storage-daemon.
>
> I'm confused because as far as I know the BareOS-fd contacts the director to
> initiate the backup and not the other way around.
No, the bareos-dir connects to the bareos-fd to initiate the backup, but
the bareos-fd connects to the bareos-sd to actually store the data. I
*think*, the bareos-dir needs access to the bareos-sd, too (to query the
status, for example) - which is no issue, as they are on the same subnet,
also you may want to backup the director itself, too, so you'll need to
pass this trafic anyways.
>
> I asked about it here, and they told me I should have access control
> (firewall rules) that limit what each machine on a subnet can / can't
> communicate with the dir / sd.
>
> My BareOS setup isn't very custom, so using the default ports what needs to
> communicate which way so the firewall rules are setup correctly?
9102 is the (server-side) port used by the director to connect to the
filedaemon
9103 is the (server-side) port used by the filedaemon to connect to the
storage daemon
If I understand your setup correctly, you need to route the following:
- --dport 9103 -d $bareos_sd_ip
- --dport 9102 -s $bareos_dir_ip
You could restrict the source/destination ip/netmask/interface
additionally, if you like tighter rules (e.g. to disallow backups to run
on *any* machine in these subnets).
>
> Thank you,
>
> Andrew J. Leer
> BareOS Backup Presentation at the CPLUG
HTH,
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6yyXoACgkQCu7JB1Xa
e1qfWw//ZNR92f7XJaFkWhhvmemM23lW7Gu/ahhLwGG3pq7putrOR8IQ2ClpVPqf
9/Bz5EvyMIfQXWfdeb88af5UnEAk+5yqYOLhVN/36byypM8VlbdgOYGCth6elTy8
TKeF3OTQ6zDfWSGllvzQTkpNR0LnqtUk0PID2KnrGB+1PYEls0JlPaH9fXgSc4xF
RK7Y9rUhgCOfU+uPvdp5uEpNkq5tMmaJ9JbU0swQahB0gUvYhqFxNnZVMxQRVrww
p/ywnWtBSVkEvkawUUJM5gSFJraeVCipGrPk0xslkihnNzBBkl2aVuME4ehk4QtU
a8MGlcUqxkmNcZ16efTSbeW1CZD9yJ23aRDgLagJLLqB5A3TXYEX9AFfoqjkLWfA
/mtc1IDVlgPQY40LkyFGru8b5igX7vzklX+8GrKD16WOdS/v50aUTiboDAmGsG1z
OfmIkyX2iXUWKZflICQgXr/66B8+Vprq4TBGFMK2jrrY9XjuBzNV108OIMxMjcjZ
65s4Q662De9x/0heXe5wbEKMzoZtXgQMgAgw6LQ6Dtl1xNLzUCqA5vNNYg9USWtb
FEtCF/rpMGljN5F4qB3bBA6yiovjEBu0Am79bLlF7+0Foyi6xjc3UwlqvWCxrNqy
pbH8GCr1kqGuQLcfectn/whNocCb+LZSw67qI3slqR96RJlasC4=
=StJ5
-----END PGP SIGNATURE-----
Hash: SHA256
Hi Andrew,
On Wed, 6 May 2020, Andrew Leer wrote:
> I'm setting up an OpenWrt router with separate subnets for:
>
> - WAN
> - DMZ
> - Admin Access LAN
> - Kids LAN
> - Backup / BareOS LAN
>
> I have systems on each of these subnets that I would like to back up with my
> BareOS-dir.
>
> Any idea how the Input, Output and Forward rules ought to be setup between
> subnets?
router itself, too - then you'll need to allow INPUT from the director and
OUTPUT to the storage-daemon.
>
> I'm confused because as far as I know the BareOS-fd contacts the director to
> initiate the backup and not the other way around.
the bareos-fd connects to the bareos-sd to actually store the data. I
*think*, the bareos-dir needs access to the bareos-sd, too (to query the
status, for example) - which is no issue, as they are on the same subnet,
also you may want to backup the director itself, too, so you'll need to
pass this trafic anyways.
>
> I asked about it here, and they told me I should have access control
> (firewall rules) that limit what each machine on a subnet can / can't
> communicate with the dir / sd.
>
> My BareOS setup isn't very custom, so using the default ports what needs to
> communicate which way so the firewall rules are setup correctly?
filedaemon
9103 is the (server-side) port used by the filedaemon to connect to the
storage daemon
If I understand your setup correctly, you need to route the following:
- --dport 9103 -d $bareos_sd_ip
- --dport 9102 -s $bareos_dir_ip
You could restrict the source/destination ip/netmask/interface
additionally, if you like tighter rules (e.g. to disallow backups to run
on *any* machine in these subnets).
>
> Thank you,
>
> Andrew J. Leer
> BareOS Backup Presentation at the CPLUG
Erich
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAl6yyXoACgkQCu7JB1Xa
e1qfWw//ZNR92f7XJaFkWhhvmemM23lW7Gu/ahhLwGG3pq7putrOR8IQ2ClpVPqf
9/Bz5EvyMIfQXWfdeb88af5UnEAk+5yqYOLhVN/36byypM8VlbdgOYGCth6elTy8
TKeF3OTQ6zDfWSGllvzQTkpNR0LnqtUk0PID2KnrGB+1PYEls0JlPaH9fXgSc4xF
RK7Y9rUhgCOfU+uPvdp5uEpNkq5tMmaJ9JbU0swQahB0gUvYhqFxNnZVMxQRVrww
p/ywnWtBSVkEvkawUUJM5gSFJraeVCipGrPk0xslkihnNzBBkl2aVuME4ehk4QtU
a8MGlcUqxkmNcZ16efTSbeW1CZD9yJ23aRDgLagJLLqB5A3TXYEX9AFfoqjkLWfA
/mtc1IDVlgPQY40LkyFGru8b5igX7vzklX+8GrKD16WOdS/v50aUTiboDAmGsG1z
OfmIkyX2iXUWKZflICQgXr/66B8+Vprq4TBGFMK2jrrY9XjuBzNV108OIMxMjcjZ
65s4Q662De9x/0heXe5wbEKMzoZtXgQMgAgw6LQ6Dtl1xNLzUCqA5vNNYg9USWtb
FEtCF/rpMGljN5F4qB3bBA6yiovjEBu0Am79bLlF7+0Foyi6xjc3UwlqvWCxrNqy
pbH8GCr1kqGuQLcfectn/whNocCb+LZSw67qI3slqR96RJlasC4=
=StJ5
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages