If you have a firewall or a DMZ installed on your computer, you may experience difficulties contacting one or more of the Clients to back them up. This is especially true if you are trying to backup a Client across the Internet.
If you are attempting to do this, the sequence of network events in Bacula to do a backup are the following:
Console -> DIR:9101 DIR -> SD:9103 DIR -> FD:9102 FD -> SD:9103
Where it should be obvious that DIR represents the Director, FD the File daemon or client, and SD the Storage daemon. The numbers that follow those names are the standard ports used by Bacula, and the -> represents the left side making a connection to the right side (i.e. the right side is the ``server'' or is listening on the specified port), and the left side is the ``client'' who initiates the conversation.
Note, port 9103 serves both the Director and the File daemon, each having its own independent connection.
If you are running iptables, you might add something like:
-A FW-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9101:9103 -j ACCEPT
on your server, and
-A FW-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9102 -j ACCEPT
on your client. In both cases, I assume that the machine is allowed to initiate connections on any port. If not, you will need to allow outgoing connections on ports 9102 and 9103 on your server and 9103 on your client. Thanks to Raymond Norton for this tip.
Jesse Guardiani's solution for his network for this problem, in his own words, is:
My bacula server is on the 192.168.1.0/24 network at IP address 192.168.1.52. For the sake of discussion we will refer to this network as the 'internal' network because it connects to the internet through a NAT'd firewall. We will call the network on the public (internet) side of the NAT'd firewall the 'external' network. Also, for the sake of discussion we will call my bacula server:
server.int.mydomain.tld
when a fully qualified domain name is required, or simply:
server
if a hostname is adequate. We will call the various bacula daemons running on the server.int.mydomain.tld machine:
server-fd
server-sd
server-dir
In addition, I have two clients that I want to back up with Bacula. The first client is on the internal network. Its fully qualified domain name is:
private1.int.mydomain.tld
And its hostname is:
private1
This machine is a client and therefore runs just one bacula daemon:
private1-fd
The second client is on the external network. Its fully qualified domain name is:
public1.mydomain.tld
And its hostname is:
public1
This machine also runs just one bacula daemon:
public1-fd
Finally, I have a NAT firewall/gateway with two network interfaces. The first interface is on the internal network and serves as a gateway to the internet for all the machines attached to the internal network (For example, server.int.mydomain.tld and private1.int.mydomain.tld). The second interface is on the external (internet) network. The external interface has been assigned the name:
firewall.mydomain.tld
Remember:
*.int.mydomain.tld = internal network
*.mydomain.tld = external network
server-sd manages a 4 tape AIT autoloader. All of my backups are written to server-sd. I have just *one* Device resource in my server-sd.conf file:
Device {
Name = "autochanger1";
Media Type = AIT-1;
Archive Device = /dev/nrsa1;
Changer Device = /dev/ch0;
Changer Command = "/usr/local/sbin/chio-bacula %c %o %S %a";
Label Media = yes;
AutoChanger = yes;
AutomaticMount = yes; # when device opened, read it
AlwaysOpen = yes;
Hardware End of Medium = No
Fast Forward Space File = No
BSF at EOM = yes
}
(note, please see the Tape Testing chapter of this manual for important FreeBSD information.) However, I have *two* Storage resources in my server-dir.conf file:
Storage {
Name = "autochanger1-int" # Storage device for backing up
Address = server.int.mydomain.tld
SDPort = 9103
Password = "mysecretpassword"
Device = "autochanger1"
Media Type = AIT-1
Autochanger = yes
}
Storage {
Name = "autochanger1-ext" # Storage device for backing up
Address = firewall.mydomain.tld
SDPort = 9103
Password = "mysecretpassword"
Device = "autochanger1"
Media Type = AIT-1
Autochanger = yes
}
Note that BOTH of the above server-dir.conf Storage resources use the same 'autochanger1' Device resource from server-sd.conf.
My backup jobs run consecutively, one after the other, so only one of the above Storage resources is being used by Bacula file daemons at any given time. I don't know if this would cause problems at a site that runs more than one backup in parallel to a single tape device.
In addition to the above, I have two Client resources defined in server-dir.conf:
Client {
Name = private1-fd
Address = private1.int.mydomain.tld
FDPort = 9102
Catalog = MyCatalog
Password = "mysecretpassword" # password for FileDaemon
}
Client {
Name = public1-fd
Address = public1.mydomain.tld
FDPort = 9102
Catalog = MyCatalog
Password = "mysecretpassword" # password for FileDaemon
}
And finally, to tie it all together, I have two Job resources defined in server-dir.conf:
Job {
Name = "Private1-Backup"
Type = Backup
Client = private1-fd
FileSet = "Private1"
Schedule = "WeeklyCycle"
Storage = "autochanger1-int"
Messages = Standard
Pool = "Weekly"
Write Bootstrap = "/var/db/bacula/Private1-Backup.bsr"
Priority = 12
}
Job {
Name = "Public1-Backup"
Type = Backup
Client = public1-fd
FileSet = "Public1"
Schedule = "WeeklyCycle"
Storage = "autochanger1-ext"
Messages = Standard
Pool = "Weekly"
Write Bootstrap = "/var/db/bacula/Public1-Backup.bsr"
Priority = 13
}
It is important to notice that because the 'Private1-Backup' Job is intended to back up a machine on the internal network it uses the 'autochanger1-int' Storage resource. On the other hand, the 'Public1-Backup' Job is intended to back up a machine on the external network, so it uses the 'autochanger1-ext' Storage resource.
I have left the Pool, Catalog, Messages, FileSet, Schedule, and Director resources out of the above server-dir.conf examples because they are not pertinent to the discussion.
If I want to run a backup of private1.int.mydomain.tld and store that backup using server-sd then my understanding of the order of events is this:
Alternatively, if I want to run a backup of public1.mydomain.tld and store that backup using server-sd then my understanding of the order of events is this:
In order for the above 'Public1-Backup' Job to succeed, firewall.mydomain.tld:9103 MUST be forwarded using the firewall's configuration software to server.int.mydomain.tld:9103. Some firewalls call this 'Server Publication'. Others may call it 'Port Forwarding'.