On 8/5/2016 8:50 AM, Andreas Koch wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello all, > > while we have been extremely happy over the years using Bacula to handle our > internal systems, we are a bit stumped now on how to backup a machine > outside of a rather restrictive firewall. > > Said firewall is basically configured to deny all incoming connections (but > allows connections initiated from the inside). > > With the default approach Bacula uses > > 1. Director (inside of firewall) tells File Daemon (outside of firewall) on > remote machine to begin backup -- OK > > 2. File Daemon (outside of firewall) attempts to connect to Storage Daemon > (inside of firewall) -- FAILS > > we are getting nowhere. Is there a possibility to configure the Storage > Daemon to use something like a ``pull'' mode, resulting in > > 1. Director (inside of firewall) tells File Daemon (outside of firewall) on > remote machine to begin backup > > 2. Director (inside of firewall) tells Storage Daemon (inside of firewall) to > connect to File Daemon (outside of firewall) > > 3. File Daemon (outside of firewall) can now stream data to Storage Daemon > (inside of firewall) > > I'd also be interested to know how other users have tackled such a setup! >
I don't know if any version of Bacula implements the "pull" mode you mention, but I am not a fan of this approach. It puts all of the emphasis for security on the clients. An attack vector would be to spoof the Storage Daemon and convince the client to send its backup to the attacker. I use OpenVPN to tunnel into the protected network. The client side of the VPN is given an address inside the firewall. This also ensures that all comms are encrypted on the wire (outside of the firewall, anyway) without having to configure encryption in Bacula. ------------------------------------------------------------------------------ _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
