Skip to the content of the web site.
[an error occurred while processing this directive]
[an error occurred while processing this directive]
IST Collage

Configuring Legato NetWorker Client under Mac OS X with the firewall enabled

The Mac OS X firewall is software that protects the network applications running on your workstation. Mac OS X uses the application ipfw for firewall service. Turning on firewall service is similar to erecting a wall to limit access. The firewall scans incoming IP packets and rejects or accepts these packets based on the set of filters you create. You can restrict access to any IP service and you can customize filters for all incoming clients or for a range of client IP addresses. Services such as Legato NetWorker are identified on your workstation by a Transmission Control Protocol (TCP) port number. When a computer tries to connect to a service, firewall service scans the filter list for a matching port number. If the port number is not in the list, the Default filter that contains the most specific address range is used. When you start firewall service the first time, most incoming TCP packets are denied until you change the filters to allow access. This poses a potential problem with the backup process initiated from the Legato NetWorker backup server. When it is time for your computer to be backed up, the server reaches out and contacts the Legato NetWorker client software installed on your computer. With the firewall turned on, this connection from the backup server is rejected unless the proper filter is enabled. To prevent the firewall from rejecting the backup process, you need to open a hole in the firewall to allow the backup server to contact the NetWorker client software on your machine.

This operation must be conducted using an account with Administrator privileges.

 

Enabling Legato NetWorker backups on a Mac OS X Server client with the firewall service turned on

Step 1: Start firewall service.

The Server Admin application under Mac OS X is located in the Applications folder but it is most easily launched from the default Dock. In Server Admin, select Firewall from the Computers & Services list and click Start Service. By default, this blocks all incoming ports except those used to configure the server remotely.

Step 2: Proceed to the firewall General Settings pane.

You can use the General Settings pane to create the IP address groups that the new filters will apply to. Click Settings (at the bottom of the Firewall pane) and then select the General tab (at the top of the Settings pane).

Step 3: Create IP address groups for hoover and for your workstation.

Click the Add (+) button beneath the Address Group pane and enter the group name hoover, the IP address 129.97.129.70 and click OK.

Repeat this process to create an address group for your workstation.

Click Save to add these address groups.

Step 4: Proceed to the firewall Advanced Settings pane.

You can use the Advanced Settings pane to configure very specific filters for TCP ports. Click Settings (at the bottom of the Firewall pane) and then select the Advanced tab (at the top of the Settings pane).

Step 5: Create Advanced IP Filters for Legato NetWorker TCP ports.

Click the Add (+) button and enter the following data (see illustration below) to Allow (in the Action pop-up menu) for TCP ports (in the Protocol pop-up menu) for Other... (NetWorker) service (in the Service pop-up menu) from hoover (in the Source Address pop-up menu) to your workstation group (in the Destination Address pop-up menu) using port range 7937-7941 with network interface In (in the Interface pop-up menu).

If desired, choose to Log all packets matching this rule and then Click OK.

Create the following three additional filters (clicking OK each time):

  • Action: Allow
  • Protocol: TCP
  • Service: Other...
  • Source Address: hoover
  • Destination Address: your workstation group
  • Destination Port: 0-0
  • Interface: In

  • Action: Allow
  • Protocol: TCP
  • Service: Other...
  • Source Address: your workstation group
  • Destination Address: hoover
  • Destination Port: 7937-7941
  • Interface: Out

  • Action: Allow
  • Protocol: TCP
  • Service: Other...
  • Source Address: your workstation group
  • Destination Address: hoover
  • Destination Port: 0-0
  • Interface: Out

Click Save to apply these filters immediately (and quit Server Admin).

top

 

Enabling Legato NetWorker backups on a Mac OS X client with the firewall service on

Step 1: Start firewall service from System Preferences.

Open System Preferences from the Apple menu or from the Dock. In System Preferences, select Sharing from the Internet & Network list, click the Firewall tab near the top of the Sharing pane, and click Start. By default, this blocks most incoming ports.

Step 2: Open Legato NetWorker ports.

Click New...and enter the following data:, and then click OK:

  • Port Name: Other
  • Port Number, Range or Series: 7937-7941,0-0
  • Description: Legato NetWorker

Click OK

Quit Systems Preferences.

top

Last updated by Paul Henderson (email henders at UWaterloo.ca) on May 23, 2006.

Keywords: (none)