[ previous ] [ next ] [ threads ]
 From:  Chet Harvey <chet at pittech dot com>
 To:  Kevin Tollison <kevin at kwtassoc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Rsync over SSH to Internal Server
 Date:  Tue, 18 Apr 2006 13:56:10 -0400

Did you use "inbound nat" or one of the other tabs such as Sever:NAT or 1:1?

My m0n0 is set to the tab that says "Inbound" and the rule looks like this:

 WAN  	 TCP  	 22 (SSH)  	 192.168.x.x  	 22 (SSH)  	 Proxy 

I did auto add a firewall rule then went and changed the rule to read:

 TCP  	 x.x.x.x  	 *  	 192.168.x.x  	 22 (SSH)  	 NAT Proxy

And with this I can access my NAT'd SSH only from the address I specified. In
this case it is work.

My questions for is if you are running SSH over rsync why would you need port
873 open on the firewall? I bet if you check your logs there will be a lot of drops.

IMHO you have two ways to do this "securely". The first is to simple set up a
static IPSec tunnel between the m0n0's. That way you don't need to change
anything and your data is encrypted.

The second way is to use stunnel on each server and redirect rsync in an
encrypted tunnel between points. This options takes a little load off your m0n0.


Quoting Kevin Tollison <kevin at kwtassoc dot com>:

> I am having a problem getting to servers behind m0n0wall boxes.
> Here is the setup
> Server1 -->  m0n0wall -->  Internet --> m0n0wall --> Server2
> We are trying to run a rsync job from server1 pulling data from server2
> I configured both servers locally and ran the initial backup locally, then
> moved the server2 to its new location.
> Initially I have tried to just SSH to the server2 from server1 with no
> success.  The connection just times out.
> My rules are as follows.   NAT for port 22 and 873 to server on both sides.
> Firewall rules to allow all traffic from WAN IP on both sides.
> Initially I just set it up to allow just the ports and protocols I needed,
> with no luck. So then I opened it up completely with only an IP address
> restriction,  still nothing.
> Hopefully I am missing something simple.  Let me know if you need any more
> information or clarification.
> --
> Kevin Tollison
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch