I’ve been doing some testing in the lab recently. The focus of this testing has been primarily on Pure Storage’s ObjectEngine and its associated infrastructure. As part of that, I’ve been doing various things with Veeam Backup & Replication 9.5 Update 4, including setting up a FlashBlade NFS repository. I’ve documented the process in a document here. One thing that I thought worthy of noting separately was the firewall requirements. For my Linux Mount Server, I used a CentOS 7 VM, configured with 8 vCPUs and 16GB of RAM. I know, I normally use Debian, but for some reason (that I didn’t have time to investigate) it kept dying every time I kicked off a backup job.
In any case, I set everything up as per Pure’s instructions, but kept getting timeout errors on the job. The error I got was “5/17/2019 10:03:47 AM :: Processing HOST-01 Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond NFSMOUNTHOST:2500“. It felt like it was probably a firewall issue of some sort. I tried to make an exception on the Windows VM hosting the Veeam Backup server, but that didn’t help. The problem was with the Linux VM’s firewall. I used the instructions I found here to add in some custom rules. According to the Veeam documentation, Backup Repository access uses TCP ports 2500 – 5000. Your SecOps people will no doubt have a conniption, but here’s how to open those ports on CentOS.
Firstly, is the firewall running?
[danf@nfsmounthost ~]$ sudo firewall-cmd --state [sudo] password for danf: running
Yes it is. So let’s stop it to see if this line of troubleshooting is worth pursuing.
[danf@nfsmounthost ~]$ sudo systemctl stop firewalld
The backup job worked after that. Okay, so let’s start it up again and open up some ports to test.
[danf@nfsmounthost ~]$ sudo systemctl start firewalld [danf@nfsmounthost ~]$ sudo firewall-cmd --add-port=2500-5000/tcp success
That worked, so I wanted to make it a more permanent arrangement.
[danf@nfsmounthost ~]$ sudo firewall-cmd --permanent --add-port=2500-5000/tcp success [danf@nfsmounthost ~]$ sudo firewall-cmd --permanent --list-ports 2500-5000/tcp
Remember, it’s never the storage. It’s always the firewall. Also, keep in my mind this article is about the how. I’m not offering my opinion about whether it’s really a good idea to configure your host-based firewalls with more holes than Swiss cheese. Or whatever things have lots of holes in them.