[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Scp calls

From: Gabriel Ambuehl
Subject: Re: [Duplicity-talk] Scp calls
Date: Mon, 04 Jan 2010 18:41:49 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091204 Thunderbird/3.0

On 04.01.2010 17:41, AJ Weber wrote:
It wouldn't be granular enough at that, unfortunately. I have a script that iterates my directories now, and could insert the port-knock command as well...

However, a port knock typically opens the firewall for a specified client-IP for a small window of time (typ 30sec). After that timeout, if you haven't established the TCP session, you can't get in unless you "knock" again. (Once you have an established connection, the firewall rules will continue to allow that connection, just not connect a new one.)

If I'm transferring small, incrementals, it would _probably_ work OK, because a few scp calls would likely make it within that 30sec timeout. However, if/when I run a full backup, the backup of most of those directories would take minutes (some, many minutes) to complete, so somewhere during the backup-run, the firewall will close-up the ssh port, and further scp calls will be denied/blocked. Thus the problem with a lot of individual ssh/scp connects versus one, persistent connection to tunnel the files/diffs through.

Then how about wrapping scp in a script doing the port knocking (possibly with a timeout below which it would straight go to scp without knocking, even) instead of duplicity?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]