File copy through firewall

FrankGuthrie

I've attached a picture to the thread for clarification.

If I want to migrate data from and old server to a new server, which port do I need to open, when there is a firewall between. Which protocol is used when copying?

Does this differ when copy from linuxto Linux?

What if you copy from EMC/NETAPP to EMC/NETAPP?

gorebrush

Depends on: -

1. What OS you are using
2. What actual file transfer technology/protocol.

Are you using SSH, FTP, SMB, NFS, etc etc etc?

FrankGuthrie

Good post, that actually made me think :P. In order to copy from windows ot windows you need to make a mapping I woyuld be using SMB/CIFS (TCP port 445) and with Linux NFS (Port 111 TCP and UDP, and 2049 TCP and UDP)

darkuser

what they said .... what application are you using for the copy and what transport does the application use ?

FrankGuthrie

Well copying from Windows to Windows is not really using an application right? It's just Windows explorer. I guess the applicatin is Windos Explorer.

FrankGuthrie

anyone?

docrice

Windows to Windows is typically SMB (initiated via a UNC path reference), which is TCP 445. But that said, there could potentially be other protocols in the mix like Kerberos, MS-RPC, etc. depending on host configurations and other considerations. Some protocols like MS-RPC require a large range depending on the Windows Server version.

http://support.microsoft.com/kb/179442

If you're not sure what's involved for your particular situation, check the firewall drop logs (assuming you have a explicit clean-up drop rule at the bottom of the ACL).

FrankGuthrie

@docrice:



What would I have used or need to open on the Firewall when copying on Linux, NFS?

docrice

If I recall, NFS uses RPC (although different ports than in MS-RPC for Windows because it's Sun RPC). There's the initial connection to TCP/UDP 111 (similar to TCP 135 for the Windows RPC endpoint mapper), then it's a bunch of ephemeral destination ports for the follow-up sessions during marshalling (although I recall the source ports for this second phase to use ports lower than 1024, but I don't remember accurately off the top of my head).

ASA's application inspection engine hasn't always been the best in my experience, but I thought it recognized "sunrpc."

FrankGuthrie

What do you mean with Marshalling?

xnx

Maybe use Wireshark and find your ports in another scenario

docrice

Quick info about marshalling:

http://en.wikipedia.org/wiki/Marshalling_(computer_science)

Sometimes merely doing a Wireshark capture isn't going to be sufficient when protocols using dynamically-negotiated ports are involved. RPC is one of those annoying protocols to properly write ACLs for. If the firewall doesn't recognize and track the protocol, you essentially have to open a whole range of ports. FTP is one of those protocols which just about all stateful inspection firewalls can handle. RPC isn't as reliably-supported in my experience, at least with older devices.

JeanM

Is it possible to just use ftp, so you then know what ports to work with?

docrice

FTP would in theory make it easier, but there are dynamically-generated ports too for both active and passive FTP (although just about any stateful-inspection firewall should be able to handle that these days without blinking an eye). It's also cleartext traffic so credentials in transit are completely visible to third parties.