I need some help configuring Amanda to backup a couple of hosts in our DMZ.
Been trying to get it to work for quite some time, but it just won't work.
Hosts in the trusted zone go like a charm, but no success on the DMZ hosts
so far. For some reason our firewall doesn't seem to like Amanda, which
could partially be attributed to the fact that it doesn't do stateful
inspection. I realize this question is not a hardcore Amanda thing, but
hopefully some of you can give me some hints anyway.
We configured the firewall to allow UDP traffic from a secure port on our
Amanda server in the trusted zone to port 10080 in the DMZ. This works. But
unfortunately UDP isn't stateful, so we had to define a new set of rules to
allow the replies. What we did (or think we did) is allow UDP traffic from
port 10080 from hosts in the DMZ to secure ports on the Amanda server.
Strangely enough this sometimes works, but usually doesn't. The
reply-packets sometimes disappear, sometimes generating an ICMP
"destination unreachable", but sometimes not even that. Sometimes even the
connections initiated by the Amanda server disappear, usually never
generating ICMP messages. Whatever we try, we never get to the point where
a TCP connection is set up (I keep referring to "we" as it's not me who
administers the firewall).
I compiled Amanda myself, restricting the ports to use to 45000-45100. So I
think it should be sufficient to punch a hole in the firewall that allows
TCP traffic from server to client within that range.
I just hope some of you can tell me I'm wrong and I need to do something
else/more... We use Linux machines here and a commercial firewall that
doesn't do connection tracking, unfortunately.
While I'm at it, what's the reason why the Amanda developers chose UDP for
the first stage? Is it only the overhead TCP causes?
Thanks in advance.
Hans
______________________________________________________
This message has been checked for all known viruses
______________________________________________________
De informatie verzonden met dit e-mailbericht is
uitsluitend bestemd voor de geadresseerde.
Openbaarmaking, vermenigvuldiging, verspreiding en/of
verstrekking van deze informatie aan derden is
niet toegestaan. Wij aanvaarden geen aansprakelijkheid
voor de juiste en volledige overbrenging van de inhoud
van een verzonden e-mail bericht, noch voor tijdige
ontvangst ervan.
______________________________________________________
HTTP://WWW.Syncera.NL
______________________________________________________
|