post image

AWS Data Migration Service

Jan 30, 2020 Gethugothemes

I was just doing some testing of the AWS Data Migration Service (DMS), and it isn’t obvious when setting up endpoints that the public IP address of the replication instance is the one that traffic will always come from/to. At least in my testing, this was true.

I use the amazing OpenBSD pf firewall for the home perimiter, and was able to verify with 2 different AWS accounts.

Do the test by creating a target endpoint in DMS, and add your firewall IP as the destination


Then, run your test


Assuming you have logging/blocking setup correctly in OpenBSD, this was the command to see the denied traffic to verify the source IP:

tcpdump -n -e -ttt -i pflog0 port 5432

Which produced the following output:

Jan 30 20:43:54.026177 rule 4/(match) block in on em0: 52.x.x.x.38527 > 67.x.x.x.5432: S 362481813:362481813(0) win 26880 <mss 1460,sackOK,timestamp 664198628 0,nop,wscale 7> (DF) [tos 0x20]

Similar Posts

OpenBSD PF and OpenDNS

At home, I needed a way to prevent anything but OpenDNS from being used for DNS, and needed a rule that would do it in OpenBSD PF. Install and Configure First off, to setup an OpenDNS client on OpenBSD, install the ddclient package via pkg_add ddclient