File copy through firewall

FrankGuthrieFrankGuthrie Member Posts: 245
I've attached a picture to the thread for clarification.

If I want to migrate data from and old server to a new server, which port do I need to open, when there is a firewall between. Which protocol is used when copying?

Does this differ when copy from linuxto Linux?

What if you copy from EMC/NETAPP to EMC/NETAPP?

Comments

  • gorebrushgorebrush Member Posts: 2,743 ■■■■■■■□□□
    Depends on: -

    1. What OS you are using
    2. What actual file transfer technology/protocol.

    Are you using SSH, FTP, SMB, NFS, etc etc etc?
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Good post, that actually made me think :P. In order to copy from windows ot windows you need to make a mapping I woyuld be using SMB/CIFS (TCP port 445) and with Linux NFS (Port 111 TCP and UDP, and 2049 TCP and UDP)
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    what they said .... what application are you using for the copy and what transport does the application use ?
    rm -rf /
  • FrankGuthrieFrankGuthrie Member Posts: 245
    Well copying from Windows to Windows is not really using an application right? It's just Windows explorer. I guess the applicatin is Windos Explorer.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Windows to Windows is typically SMB (initiated via a UNC path reference), which is TCP 445. But that said, there could potentially be other protocols in the mix like Kerberos, MS-RPC, etc. depending on host configurations and other considerations. Some protocols like MS-RPC require a large range depending on the Windows Server version.

    http://support.microsoft.com/kb/179442

    If you're not sure what's involved for your particular situation, check the firewall drop logs (assuming you have a explicit clean-up drop rule at the bottom of the ACL).
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • FrankGuthrieFrankGuthrie Member Posts: 245
    @docrice:



    What would I have used or need to open on the Firewall when copying on Linux, NFS?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    If I recall, NFS uses RPC (although different ports than in MS-RPC for Windows because it's Sun RPC). There's the initial connection to TCP/UDP 111 (similar to TCP 135 for the Windows RPC endpoint mapper), then it's a bunch of ephemeral destination ports for the follow-up sessions during marshalling (although I recall the source ports for this second phase to use ports lower than 1024, but I don't remember accurately off the top of my head).

    ASA's application inspection engine hasn't always been the best in my experience, but I thought it recognized "sunrpc."
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • FrankGuthrieFrankGuthrie Member Posts: 245
    What do you mean with Marshalling?
  • xnxxnx Member Posts: 464 ■■■□□□□□□□
    Maybe use Wireshark and find your ports in another scenario
    Getting There ...

    Lab Equipment: Using Cisco CSRs and 4 Switches currently
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Quick info about marshalling:

    http://en.wikipedia.org/wiki/Marshalling_(computer_science)

    Sometimes merely doing a Wireshark capture isn't going to be sufficient when protocols using dynamically-negotiated ports are involved. RPC is one of those annoying protocols to properly write ACLs for. If the firewall doesn't recognize and track the protocol, you essentially have to open a whole range of ports. FTP is one of those protocols which just about all stateful inspection firewalls can handle. RPC isn't as reliably-supported in my experience, at least with older devices.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • JeanMJeanM Member Posts: 1,117
    Is it possible to just use ftp, so you then know what ports to work with?
    2015 goals - ccna voice / vmware vcp.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    FTP would in theory make it easier, but there are dynamically-generated ports too for both active and passive FTP (although just about any stateful-inspection firewall should be able to handle that these days without blinking an eye). It's also cleartext traffic so credentials in transit are completely visible to third parties.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.