Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Amanda thru a firewall

2003-06-10 09:11:52
Subject: RE: Amanda thru a firewall
From: donald.ritchey AT exeloncorp DOT com
To: bren AT midco DOT net, amanda-users AT amanda DOT org
Date: Tue, 10 Jun 2003 08:02:47 -0500 
All the answers depend on the exact behavior of your firewall, but they
should act consistently with other permitted services.

To get Amanda through firewalls here, we needed to specify port ranges for
both the TCP and UDP ports.  We used the TCP range X0000-X0040 and UDP range
of N90-N99 (exact ranges shouldn't matter, but choose ones that are not
already in use on the systems you are supporting).  Make sure you change the
Amanda port definitions in /etc/inetd.conf (or equivalent) to match the
ports you have specified.

Our firewall rules specify which hosts are allowed to use the opened ranges,
and which are permitted to originate and which can terminate.  We played it
safe for reliability and allowed either side to originate or terminate on
the specified ports.  We only backup two systems through firewalls (but one
of those is on the other side of two firewalls, so things can get
complicated).  I found that 2.4.4 was the earliest release that worked
correctly through the firewall port ranges, since 2.4.3 complained about
insecure ports.  Your only real option is experimentation.  I do suggest
that (if you are running Linux) you build from source, since that is the
only way to ensure that the options you want enabled are present in the
software.

As always, your mileage may vary.....

Donald L. (Don) Ritchey
E-mail:  Donald.Ritchey AT exeloncorp DOT com


-----Original Message-----
From: Brendon Colby [mailto:bren AT midco DOT net]
Sent: Monday, June 09, 2003 2:12 PM
To: amanda-users
Subject: Re: Amanda thru a firewall


On Monday 09 June 2003 08:53, Alex Specogna wrote:
> No you can configure Amanda to work through any firewall (including the
> PIX) we do it here. When you compile Amanda force it to use a specific
> range of ports.  Use the --with-tcpportrange=X,Y. Where X is the start and
> Y is the end of the range.

What about just allowing the backup server access to just those hosts which 
need to be backed up? I guess I can see a slight risk, but access is allowed

from one machine.

I would just need to allow TCP? The FAQ mentioned doing the same with UDP 
ports ( --with-udpportrange=xxx,yyy).

-- 
Brendon Colby
Systems Administrator
Midcontinent Communications


************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.
************************************************************************
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Questions about Amanda - part II, Roberto Samarone Araujo (RSA)
Next by Date:  Re: Questions about Amanda - part II, Jon LaBadie
Previous by Thread:  Re: Amanda thru a firewall, Jon LaBadie
Next by Thread:  out of tape - resolved, Danny R Spelbring
Indexes:  [Date] [Thread] [Top] [All Lists]