Firewall

[The Wolf]

I cannot back up to ftp with the firewall on and do not want to turn it off. I have the proper ports open?

[natew]

Hi

 

Then you have to make a choice. The ports must be open for the backup to run.

 

Nate

[Lennart_T]

Quote:

---

I have the proper ports open?

 

---

Hi.

 

Is that a statement or a question?

In the former case: Which ports have you opened?

In the latter case: I like to know, too, which ports to open.

 

Regards

Lennart

[waltr]

hi all,

 

Retrospect uses 'active' FTP for backups. here is an excellent read on active FTP (passive is discussed too, but Retrospect doesn't do that):

 

http://slacksite.com/other/ftp.html#active

 

here is the KB article on FTP backup sets, it's also pretty thourough:

 

http://kb.dantz.com/article.asp?article=5759&p=2

 

short answer, you'll want port 21 open.

[The Wolf]

21 is open and it does NOT work.

 

Also if I label my quicken data file purple and select back up files that are purple why doesn't it back up the quicken data.

 

Also why does Dantz support non existant?

[CallMeDave]

Quote:

---

why does Dantz support non existant?

 

---

 

I don't know. Is "non existant" some product that they sell? I suppose if it is, then they would provide support for it just as they provide support for all their products.

 

Or perhaps the above is a typographical mistake, and you intended to ask "why is Dantz support non existant"?

 

To that, the short answer would be:

 

It isn't.

 

Dantz provides technical support for the products that they sell. They have a technical support department that is staffed by people who are employed for the purposes of providing that support.

 

Dantz techincal support was free of charge about four years ago, but at that time they started charging $75 per incident (not per call, per problem). At the same time, they set up this web forum as a community exchange, which is visited by some of the tech support folks (presumably when they are not busy on other incidents).

 

Of the three subjects you've brough up since your first post in September 1994, you have received a reply from NateW each time (and this time from Waltr too).

 

If you want faster, more personal attention, call Customer Support and purchase it.

 

Dave

[waltr]

hi wolf,

 

Quote:

---

21 is open

 

---

 

how do you know this? you don't supply any evidence that it is open other than that you've seen it in the firewall config. since you can't use the ftp option in Retrospect with the firewall on, have you tested with another ftp product? remember you will have to use 'active' ftp as i pointed out above.

 

you may want to try some troubleshooting at this point to address the problem. as dave points out, you could also call EMC tech support since you are having such trouble.

 

remember that people on the forum need as complete a description as you can provide. we don't know you, and we aren't looking over your shoulder, so don't leave any descriptive elements out of your post. list all troubleshooting steps you've tried, or our conclusion will be that you have not done any.

[The Wolf]

Well I think it sucks that Dantz wants $69 to troubleshoout a defective product.

 

21 is open

497 is open

Firewall on, don't work

Firewall off, does work

 

Everything is fine with Fetch so it is a Retrospect problem

[Lennart_T]

Do you have Fetch set to Active or Passive FTP?

[waltr]

Quote:

---

Firewall on, don't work

Firewall off, does work

 

---

 

that really should tell you all you need to know right there. however, i'd be interested in whether you've tried Fetch in 'active' mode as well.

 

who uses Fetch anymore? isn't it a classic app? i thought they called it 'Transmit' these days or something.

[rhwalker]

Quote:

---

who uses Fetch anymore?

 

---

Me, for one, and lots of other people. It's very nice.

Quote:

---

isn't it a classic app?

 

---

No, you are clearly misinformed. See: http://fetchsoftworks.com/. Older versions of the program run in the "Classic" environment, but the current version is Mac OS X only, and is still being maintained. Very nice.

 

Russ

[The Wolf]

If you don't know the answer why do you post? I am not the only person in the world trying to back up to ftp with mac osx.

 

active or passive retrospect does NOT work with the firewall on? it would be nice if someone could explain why? I do not feel like wasting $69 for an obvious bug on Dantzs' part.

 

Fetch works fine with passive checked or passive unchecked.

 

once again 21 is open

497 is open

 

Firewall on, don't work

Firewall off, does work

[waltr]

thanks russ,

 

i downloaded Fetch and gave it a test. it did connect between two Mac's with the firewall with the 'passive' preference unchecked. i tried this against a Filezilla FTP server because that FTP server has excellent logging. it shows the connection attempts to use active, but reverts to passive, which tells me Fetch is not a good program to troubleshoot this with.

 

as i noted above, Retrospect will _not_ use passive FTP. there is no way around this.

 

i'm researching some stuff on the Apple Firewall, IPFW (actually the BSD firewall). i won't promise anything and i don't know what i'll find, but that is definitely where the problem lies.

[waltr]

hi wolf,

 

so i really searched & i've come up with a bit of arcana that should fix the problem. you need to add a firewall exception to the Macintosh that you are running Retrospect on, but there is no way to do this from the Finder. from the terminal you need to become root, then you can enter this command:

 

'ipfw add 00200 allow tcp from XXX.XXX.XXX.XXX 20 to any'

 

you can use 'ipfw show' to see that the rule is in place. a few notes:

 

1) the number 00200 is the rule number in the ipfw program. i've chosen a number that is not used by default, but caveat emptor.

2) XXX.XXX.XXX.XXX is the ip address of the FTP server you are trying to connect to.

 

there may be a way to loosen up the rules a bit, i'm not going into this any further. i leave that to the reader.

 

to do this from a GUI, you could probably do it pretty easily from OS X Server (although i'll also leave that to the reader), or in OS X Desktop you could try 'Flying Butress':

 

http://personalpages.tds.net/~brian_hill/brickhouse.html

 

which was formerly known as 'Brickhouse'. this is not an endorsement of that product, but just a suggestion for further research.

 

the problem is definitely not in Retrospect, it is in the firewall and GUI config for the firewall on OS X.

 

as an aside, you could post a feature request for 'Passive FTP' in the feature requests forum. i'd second that.

[CallMeDave]

Quote:

---

If you don't know the answer why do you post?

 

---

 

 

 

Because this is a Community Forum, where Retrospect users get together to help other Retrospect users.

 

 

 

Some posts may be requests for more information, some may be definitive answers, while others may just be comments.

 

 

 

It sounds as if WaltR has figured out the problem, and the results of his research will probably be something others will benefit from in the future.

 

 

 

Thanks, Walt.

 

 

 

Dave

[rhwalker]

Quote:

---

I do not feel like wasting $69 for an obvious bug on Dantzs' part.

 

---

Sorry, but it's not a Retrospect bug. Retrospect just does not do passive FTP, and it's not a dessert topping, either. As your test shows, it's simply an issue with how you have your firewall rules set up:

Quote:

---

Firewall on, don't work

Firewall off, does work

 

---

I suggest that you follow up on waltr's suggestion as to how you might change your firewall configuration. Are you aware that FTP is an inherently-insecure protocol, and sends the FTP login/password "in the clear"? It might also be better to isolate your computer from the internet with a simple router/firewall appliance rather than using ipfw, so that you could leave ipfw turned off.

 

Russ

[The Wolf]

No, I solved my own problem as this forum AND Dantz' attitude towards the customer is useless.

 

There is a range of ports that must be open to do active. I won't post the answer, let some loser pay Dantz there $69 next time.

[waltr]

Quote:

---

No, I solved my own problem

 

---

 

umm, not really. you just took the good advice given. if you hadn't let your attitude get in the way, you probably could have solved this a lot earlier.

 

Quote:

---

There is a range of ports that must be open to do active.

 

---

 

yes, this is true. in my solution i used any. i know this is a hard concept, but any = a whole range of ports

 

Quote:

---

I won't post the answer, let some loser pay Dantz there $69 next time.

 

---

 

i really don't think you understand the answer well enough to post it. i think you had a friend read my post and do it for you.

 

by the way, coming on the board and calling Dantz customers 'losers' isn't going to engender you to anyone on the board.

[Lennart_T]

Waltr, well said!

[rhwalker]

Quote:

---

No, I solved my own problem as this forum AND Dantz' attitude towards the customer is useless.

 

There is a range of ports that must be open to do active. I won't post the answer, let some loser pay Dantz there $69 next time.

 

---

Sigh. No good deed goes unpunished. You came to this forum looking for assistance, several people took the time to point you in the right direction to fix your firewall's misconfiguration, and you return that help with scorn. Have a great day, glad your setup is now working.

 

Russ

[avaughs]

Thank waltr. You suggestion worked for me. Your good deed should not go unrecognized .

 

I have been attempting to ftp (Internet) backup to a Buffalo TeraServer without success. Also, Internet backups failed after I upgraded my Mac to 10.4.x from 10.3.latest. I didn't know why. Now I do. It appears that something is wrong with the manner in which Mac OS X Tiger implements Firewalls.

 

Thanks again. This tip should be rolled into a Knowledge Base entry.

[waltr]

hi PMU,

 

glad this worked for you. and thanks for the kind words....