[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Scp calls

From: AJ Weber
Subject: Re: [Duplicity-talk] Scp calls
Date: Mon, 4 Jan 2010 11:41:15 -0500

It wouldn't be granular enough at that, unfortunately. I have a script that iterates my directories now, and could insert the port-knock command as well...

However, a port knock typically opens the firewall for a specified client-IP for a small window of time (typ 30sec). After that timeout, if you haven't established the TCP session, you can't get in unless you "knock" again. (Once you have an established connection, the firewall rules will continue to allow that connection, just not connect a new one.)

If I'm transferring small, incrementals, it would _probably_ work OK, because a few scp calls would likely make it within that 30sec timeout. However, if/when I run a full backup, the backup of most of those directories would take minutes (some, many minutes) to complete, so somewhere during the backup-run, the firewall will close-up the ssh port, and further scp calls will be denied/blocked. Thus the problem with a lot of individual ssh/scp connects versus one, persistent connection to tunnel the files/diffs through.

Thanks for the offer.


----- Original Message ----- From: "Jacob Godserv" <address@hidden> To: "AJ Weber" <address@hidden>; "Discussion of the backup program duplicity" <address@hidden>
Sent: Monday, January 04, 2010 11:26 AM
Subject: Re: [Duplicity-talk] Scp calls

On Mon, Jan 4, 2010 at 10:13, AJ Weber <address@hidden> wrote:
Thus, my comment about openvpn was not that it's more-or-less secure, but
that I could open one tunnel to the target (after one port-knock), run all
my duplicity backups, then exit the vpn connection, leaving the server with
zero open ports while it's not consuming backups (or restoring). But, as
you said, I'm not sure it's worth the extra setup; it's not _that_ much
work, but the KISS principle applies with backup/restore scenarios, IMHO.

I've created a wrapper script around duplicity which uses a
directory-based configuration system to run scripts before and after
duplicity execution, and to determine how duplicity is executed, and
with what options.

You could do the same to open and close ports.


   "For then there will be great distress, unequaled
   from the beginning of the world until now — and never
   to be equaled again. If those days had not been cut
   short, no one would survive, but for the sake of the
   elect those days will be shortened."

   Are you ready?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]