[Nut-upsuser] Client behind firewall

Peter Selinger selinger at mathstat.dal.ca
Sun Dec 10 22:33:34 CET 2006

Arjen de Korte wrote:
> Mike Lowrie wrote:
> > The problem is I really don't want to open a port form the dmz
> > to the internal network where the master UPS machine resides. I have
> > data from various clients that I can't have comprised.
> What has opening a port to do with that?

Arjen, I think Mike was referring to the fact that the client
initiates the TCP connection to the server, and not the other way
around. This requires opening a hole in the server's firewall (grant
access to port 3493, or another port if configured by ./configure

I don't see any reason, in principle, why the server could not
initiate the connection to the client instead. However, this would
require a lot more configuration on the server side (which clients to
connect to, what to do if it fails etc), and might also upset the
startup sequence (currently the server is started before the clients).
So in practice it would be quite difficult to implement. 

I see the catch-22 here: If you run the server (upsd) on the insecure
machine, then anybody breaking into that machine could shut down the
entire system, including the secure machine. If you run the server on
the secure machine, then there's the problem that clients cannot
connect to it. In a sense, upsmon must trust upsd, and not the other
way around, so it would make sense if upsmon required upsd to
authenticate itself, and not the opposite, as is currently the case. 
But as I said, the current NUT design does not allow this, and it
would be quite difficult to change. 

So on balance, I agree with Arjen's assessment: it's not a good idea
to run a secure and an insecure machine from the same UPS.

-- Peter

More information about the Nut-upsuser mailing list