[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Duplicity-talk] Scp calls
|
From: |
AJ Weber |
|
Subject: |
Re: [Duplicity-talk] Scp calls |
|
Date: |
Mon, 4 Jan 2010 11:41:15 -0500 |
It wouldn't be granular enough at that, unfortunately. I have a script that
iterates my directories now, and could insert the port-knock command as
well...
However, a port knock typically opens the firewall for a specified client-IP
for a small window of time (typ 30sec). After that timeout, if you haven't
established the TCP session, you can't get in unless you "knock" again.
(Once you have an established connection, the firewall rules will continue
to allow that connection, just not connect a new one.)
If I'm transferring small, incrementals, it would _probably_ work OK,
because a few scp calls would likely make it within that 30sec timeout.
However, if/when I run a full backup, the backup of most of those
directories would take minutes (some, many minutes) to complete, so
somewhere during the backup-run, the firewall will close-up the ssh port,
and further scp calls will be denied/blocked. Thus the problem with a lot
of individual ssh/scp connects versus one, persistent connection to tunnel
the files/diffs through.
Thanks for the offer.
-AJ
----- Original Message -----
From: "Jacob Godserv" <address@hidden>
To: "AJ Weber" <address@hidden>; "Discussion of the backup program
duplicity" <address@hidden>
Sent: Monday, January 04, 2010 11:26 AM
Subject: Re: [Duplicity-talk] Scp calls
On Mon, Jan 4, 2010 at 10:13, AJ Weber <address@hidden> wrote:
Thus, my comment about openvpn was not that it's more-or-less secure, but
that I could open one tunnel to the target (after one port-knock), run all
my duplicity backups, then exit the vpn connection, leaving the server
with
zero open ports while it's not consuming backups (or restoring). But, as
you said, I'm not sure it's worth the extra setup; it's not _that_ much
work, but the KISS principle applies with backup/restore scenarios, IMHO.
I've created a wrapper script around duplicity which uses a
directory-based configuration system to run scripts before and after
duplicity execution, and to determine how duplicity is executed, and
with what options.
You could do the same to open and close ports.
--
Jacob
"For then there will be great distress, unequaled
from the beginning of the world until now — and never
to be equaled again. If those days had not been cut
short, no one would survive, but for the sake of the
elect those days will be shortened."
Are you ready?
- [Duplicity-talk] Scp calls, AJ Weber, 2010/01/02
- Re: [Duplicity-talk] Scp calls, Kenneth Loafman, 2010/01/02
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/02
- Re: [Duplicity-talk] Scp calls, Kenneth Loafman, 2010/01/03
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/03
- Re: [Duplicity-talk] Scp calls, Kenneth Loafman, 2010/01/03
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/04
- Re: [Duplicity-talk] Scp calls, Jacob Godserv, 2010/01/04
- Re: [Duplicity-talk] Scp calls,
AJ Weber <=
- Re: [Duplicity-talk] Scp calls, Gabriel Ambuehl, 2010/01/04
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/04
- Re: [Duplicity-talk] Scp calls, Gabriel Ambuehl, 2010/01/04
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/04
- Re: [Duplicity-talk] Scp calls, Tim Riemenschneider, 2010/01/05
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/05
- Re: [Duplicity-talk] Scp calls, Peter Valdemar Mørch (Lists), 2010/01/06
- Re: [Duplicity-talk] Scp calls, AJ Weber, 2010/01/06
- Re: [Duplicity-talk] Scp calls, Jacob Godserv, 2010/01/05