2009/6/14 Jason Dixon <ja...@dixongroup.net>:
> On Sun, Jun 14, 2009 at 08:03:54PM -0700, Lord Sporkton wrote:
>> I would like to change the source IP that applications use when making
>> connections for my backup.
>> I have 2 firewalls, one at home, one in colo, each with a LAN segment
>> behind it, the LANs are connected via IPSec.conf vpns between the
>> firewalls.
>>
>> The home public IP is dynamic so I was not able to make my SA specific
>> between the public ips only from lan to lan. I am trying to do backups
>> of the colo firewall to a thumb drive in the home firewall via the LAN
>> ip of the home firewall however when the colo tries to connect(via nfs
>> in this case) to the home it sources from its public IP which is not
>> in the SA. I have the same problem going the other way as well. Is
>> there a way to force my backup script to source from or appear to
>> source from the LAN ip instead of the WAN ip?
>
> There are numerous ways around this, most of which probably involve
> more common sense. Unfortunately, you haven't told us what sort of
> backup software you're using so it's hard to make good recommendations
> for your existing setup. If your backup software will allow you to bind
> to the internal address of your home firewall, that's the way to go.
> Otherwise you might be able to get it working with some sort of port
> redirection (bouncing off the internal interface). But again, without
> more details it's impossible for me to give you concrete examples.
>
> Personally, I just "pull" my server backups using dump-over-ssh. This
> works great for me. I've rebuilt my entire server within the past year
> using these backups so I guarantee this process works as advertised.
> Here is the script I use:
>
> #!/bin/sh
>
> # DayOfWeek
> DOW=`date +%w`
> DATE=`date +%Y%m%d`
>
> ssh r...@server "dump ${DOW}ufa - / | /usr/local/bin/bzip2" | \
> dd of=/backups/dumps/server-root-${DOW}-${DATE}.bz2
> ssh r...@server "dump ${DOW}ufa - /data | /usr/local/bin/bzip2" | \
> dd of=/backups/dumps/server-data-${DOW}-${DATE}.bz2
> ssh r...@server "dump ${DOW}ufa - /home | /usr/local/bin/bzip2" | \
> dd of=/backups/dumps/server-home-${DOW}-${DATE}.bz2
> ssh r...@server "dump ${DOW}ufa - /var | /usr/local/bin/bzip2" | \
> dd of=/backups/dumps/server-var-${DOW}-${DATE}.bz2
>
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
>
My current method is just a dump script that pushes the backup to the
remote firewall opposed to pulling. I believe your script would work
just fine for me since the pulling firewall is dynamic.
I did try port redirection with PF but that didnt seem to work very
well, it seemed to be doing the nat after the ipsec filter, so it was
changing the source address but the packets were not hitting the ipsec
tunnel.
Perhaps I will try setting up a /30 network between the firewalls and
set up a gre tunnel between.
Thank you for the sample script.
Lawrence
