<to...@tuxteam.de> wrote: > > On Wed, Mar 22, 2017 at 10:35:13AM -0000, Dan Purgert wrote: >> David Christensen wrote: >> > On 03/17/2017 03:31 AM, Dan Purgert wrote: >> >> David Christensen wrote: >> >>> On 03/13/2017 05:38 AM, Dan Purgert wrote: >> >>> [...] >> > >> > I should clarify that: >> > >> > "The backup server can be firewalled with no incoming ports and >> > outgoing ports limited to SSH and other required ports". >> > >> > >> > I still need to figure out the "other required outgoing ports". >> > Suggestions and comments are welcome. >> >> Unfortunately, pretty much "all ephemeral ports", if the server is >> running things that initiate connections. Some programs allow you to >> specify what ports they're connecting from, but not all. > > That's what ESTABLISHED is for, in firewall jargon (you accept packets > belonging to an established TCP connection). >
You're not gonna have any ESTABLISHED connections in your firewall if you're _initiating_ the connection. ;) if my firewall has the following rules: - default drop - rule 10 accept established the command: rsync (whatever switches) user@remote-host:/path/to/files/ /local/ Will fail to connect to remote-host, as the rsync command is not connecting across a previously established link. -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281