A. From a legato paper at
http://web1.legato.com/lefaq/info/firewall.txt
-
NetWorker daemons get assigned
to 'secure ports' between 512 and 1023. nsrexecd is the exception to this
rule. Part of the reason that we don't have specific ports assigned to
our daemons comes from the fact that we are using RPC and Portmapper.
-
Secure ports are ports below
1024. The term 'secure' comes from the fact that these ports will
only allow programs that are started by root to attach to them. In
this way a program coming in from the outside is able to connect to these
ports and be reasonably sure that a hacker is not on the other side ready
to wreak havoc. So when nsrd gets started, since it is started by
root - it is able to attach to a secure port. Then - when a save
starts to send it's data to the server, it can be assured that the process
on the other side of that port is something secure - i.e., started by root.
-
If you want to turn off ports
or close ports, you are doing this so people 'outside' the firewall can't
get in. The ports are still open to processes inside the firewall.
This means that NetWorker will still request ports from 512-1023. If you
close any of these ports - and NetWorker happens to grab the one that's
closed - then the clients outside the firewall will not be able to communicate.
-
There is no way to run NetWorker
in an environment with a firewall that closes off ANY port between 512
and 1023. You can close these ports for specific IP addresses - which
could be used to allow NetWorker clients to communicate - while any others
are omitted.
B>Q. Is there is a way
to backup through a firewall doing NAT (Name to Address Translation)?</B>
A. Matt Reynolds posted (17 Mar 2000):
What I did for this same
situation was create a fixed NAT (Network Address Translation) for my backup
server. Then I pointed the client to the fixed NAT address of the backup
serve. I'm using Firewall-1, so this was easy to do. You can't use a dynamic
NAT address because Legato needs a fixed address to connect with.