Linux: Installation with Packager - Firewall Settings

Dealing with Firewalls

If you have a firewall or a DMZ installed on your computer, you may experience difficulties contacting one or more of the Clients to back them up. This is especially true if you are trying to backup a Client across the Internet.

Technical Details

If you are attempting to do this, the sequence of network events in Bacula to do a backup are the following:

Console -> DIR:9101
DIR     -> SD:9103
DIR     -> FD:9102
FD      -> SD:9103

Where hopefully it is obvious that DIR represents the Director, FD the File daemon or client, and SD the Storage daemon. The numbers that follow those names are the standard ports used by Bacula, and the -> represents the left side making a connection to the right side (i.e. the right side is the “server” or is listening on the specified port), and the left side is the “client” that initiates the conversation.

Note, port 9103 serves both the Director and the File daemon, each having its own independent connection.

Firewall Problems

Either a firewall or a router may decide to timeout and terminate open connections if they are not active for a short time. By Internet standards the period should be two hours, and should be indefinitely extended if KEEPALIVE is set as is the case by Bacula. If your firewall or router does not respect these rules, you may find Bacula connections terminated. In that case, the first thing to try is turning on the Heart Beat Interval both in the File daemon and the Storage daemon and set an interval of say five minutes.

Also, if you have denial of service rate limiting in your firewall, this too can cause Bacula disconnects since Bacula can at times use very high access rates. To avoid this, you should implement default accept rules for the Bacula ports involved before the rate limiting rules.

Bacula Ports

In order to allow the different elements of your Bacula Enterprise installation to communicate, you need to open the following ports:

• Director: 9101 (TCP)

• Storage Daemon: 9103 (TCP)

• File Daemon: 9102 (TCP)

If your database is located on another server please also open the appropriate ports:

• postgresql: 5432 (TCP and UDP)

Please set up your IPtables or Packet Filters rules to enable this communication.

Also check your SELinux or App Armor security rules to enable the following processes to run and be accessible:

• /opt/bacula/bin/bacula-dir running as user bacula

• /opt/bacula/bin/bacula-sd running as user bacula

• /opt/bacula/bin/bacula-fd running as user root

See also

Go back to:

• Linux: Bacula Enterprise Installation with Package Manager on Debian/Ubuntu

• Linux: BWeb Installation with Package Manager on Debian/Ubuntu

• Linux: Bacula Enterprise Installation with Package Manager on RHEL

• Linux: BWeb Installation with Package Manager on RHEL

Go to:

• Test Bacula Enterprise Infrastructure after Installation

Go back to Linux: Installation with Package Manager.