On Wed, 2006-05-17 at 14:55 +0200, philippe.zenhaeusern@ubs.com
wrote:> Thanks for your help, I will check if rsync is really unidirectional,
> unidirectional means for me, that a connection could only be established
> from one site.
I still do not understand exactly what you mean; let me guess. If the
computers can _connect_ in one direction (that is, intranet can connect
to internet), you can still _send files_ in either direction.
Run a command like this on the intranet machine to connect to the
internet machine and send files to the internet machine ("push"):
intranet$ rsync -a dir/ internet:dir/
Run a command like this on the intranet machine to connect to the
internet machine and receive files from the internet machine ("pull"):
intranet$ rsync -a internet:dir/ dir/
One command is used to transfer files in each direction. Either way,
the intranet machine connects to the internet machine, which is allowed
by the firewall.
Maybe these ASCII-art diagrams will help. (View them using a
fixed-width font.) The large arrow represents the connection. The
small arrows represent files.
PUSH: intranet$ rsync -a dir/ internet:dir/
Firewall allows connection
| \
====================\
Intranet -> -> -> -> -> \ Internet
(client) -> -> -> -> / (server)
(sender) ====================/ (receiver)
| /
| port 22
PULL: intranet$ rsync -a internet:dir/ dir/
Firewall allows connection
| \
====================\
Intranet <- <- <- <- <- \ Internet
(client) <- <- <- <- / (server)
(receiver) ====================/ (sender)
| /
| port 22
The firewall will prevent both sending and receiving if rsync is started
on the internet machine:
internet$ rsync -a dir/ intranet:dir/
Firewall blocks connection
| /
|/========= Intranet | would Internet
| be <- (client)
|\========== (sender)
| \
port 22 |
internet$ rsync -a intranet:dir/ dir/
Firewall blocks connection
| /
|/========= Intranet | would Internet
| be -> (client)
|\========== (receiver)
| \
port 22 |
> For a better unterstanding I attached a image to show
> you, how I understand your explanation. (my english is not allways exact
> ;)
>
> Shows this picture what you mean?
Your case a) is correct if your title "sync from intranet to internet"
refers to the direction of the connection. As my first two diagrams
show, you can make the files go in either direction. Your case b) seems
to correctly represent the port forwarding case, but it could be
clearer.
Here's my diagram of rsync using port forwarding. Note how an rsync
connection in the "wrong" direction is carried through an ssh
connection
in the right direction. By virtue of the forwarded port, a connection
to internet:1234 effectively goes to intranet:22 (both ports marked *),
where the ssh server on intranet gets it and invokes the rsync server.
However, since a connection in the "right" direction can accomplish
everything you want (transfer files in either direction), you probably
will not want to use the port forwarding setup.
Setting up port forwarding:
intranet$ ssh internet -R 1234:intranet:22
Now the Internet machine runs:
internet$ rsync -e "ssh -p 1234" -a internet:dir/ dir/
Intranet Firewall Internet
allows connection
|
/ | | \ | /
/=========| ssh =====================\ sshd |/======= rsync /
-> -> |\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/| -> -> rsync
(server) \ -> -> |/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\| -> ->
(client)
(sender) \=========| =====================/ |\======== (receiver)
\ | | / | \
port | port port
22* | 22 1234*
Or it runs:
internet$ rsync -e "ssh -p 1234" -a dir/ internet:dir/
Intranet Firewall Internet
allows connection
|
/ | | \ | /
/=========| ssh =====================\ sshd |/======= rsync /
<- <- |\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/| <- <- rsync
(server) \ <- <- |/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\| <-
<- (client)
(receiver) \=========| =====================/ |\======== (sender)
\ | | / | \
port | port port
22* | 22 1234*
Matt