PhDLeToanThang
commented
2 months ago The host firewall can be your friend but Veeam handles a lot for you The short version is that you do not need to configure the firewall. It will work and you will be optimally protected as Veeam takes care if this behind the scenes. That’s it.
For those that want a bit more details, here it comes. When you enable SSH on Ubuntu to add the repository host you can disable it immediately after doing so. That means the SSH port (22 normally) can be removed from the firewall or even blocked. It is important to know that Veeam will handle all firewall rules it needs behind the scenes for you.
That why you will find entries in the firewall like below.
6162/tcp ALLOW Anywhere # Veeam transport rule
2501/tcp ALLOW Anywhere # Veeam rule ad684de2-5a4f-49d5-81d9-0368b4281af9
Leave these alone. Veeam handles this. The Veeam Linux transport service (or more correctly, its child process – enviromentsvc) takes care of all that for you. After an agent has finished its work for a job, the transport service removes the firewall rule for that agents particular work. That’s what I call optimized security.
If a port has already been opened by the administrator of the server, the transport service won’t open or close it.
All this means that if and when you need to configure the firewall, you can and should not touch the rules for Veeam. That is handled for you. This is truly a case of “just because you can doesn’t mean you should”. Veeam has that covered. I did not expect anything less. You get optimal security by leaving the repository host alone.
When enabling and configuring the firewall, don’t forget about the sources on the internet you might need to reach, such as your NTP Servers, DNS, S3 storage (Backblaze, …), MFA (Duo, …), Ubuntu for updates, etc. Lock it down as needed or required by security policies, but there is no need to touch the Veeam rules!
If you are new to Linux, let Veeam handle it all. If you need to configure the host firewall, for Windows people, like me, it is easier and probably best to use the Ubuntu UFW (Uncomplicated Firewall) and not dive into IP tables. UFW is disabled by default. Enabling and using it is pretty easy. You can read more about that in How To Set Up a Firewall with UFW on Ubuntu 20.04 | DigitalOcean
A proxy and an external firewall complete the security stance Consider a proxy server/firewall that allows only outbound internet traffic to predefined FQDN’s (DUO, UBUNTU, Backblaze, NTP), and that blocks any unwanted inbound traffic. For remote access, use a jump host behind a secured gateway. Do not allow direct access to the repository server from the internet. If you are looking for free solutions, I tend to use SQUID for a proxy and OPNSense as a firewall.
Tôi đang kết nối từ VBR Manager mục Backup Proxies thì bị lỗi: