Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Amanda vs firewall

2004-03-22 12:34:18
Subject: Amanda vs firewall
From: Hans van Zijst <hzi AT syncera DOT nl>
To: amanda-users AT amanda DOT org
Date: Mon, 22 Mar 2004 18:26:08 +0100 
I need some help configuring Amanda to backup a couple of hosts in our DMZ. 
Been trying to get it to work for quite some time, but it just won't work. 
Hosts in the trusted zone go like a charm, but no success on the DMZ hosts 
so far. For some reason our firewall doesn't seem to like Amanda, which 
could partially be attributed to the fact that it doesn't do stateful 
inspection. I realize this question is not a hardcore Amanda thing, but 
hopefully some of you can give me some hints anyway.

We configured the firewall to allow UDP traffic from a secure port on our 
Amanda server in the trusted zone to port 10080 in the DMZ. This works. But 
unfortunately UDP isn't stateful, so we had to define a new set of rules to 
allow the replies. What we did (or think we did) is allow UDP traffic from 
port 10080 from hosts in the DMZ to secure ports on the Amanda server. 
Strangely enough this sometimes works, but usually doesn't. The 
reply-packets sometimes disappear, sometimes generating an ICMP 
"destination unreachable", but sometimes not even that. Sometimes even the 
connections initiated by the Amanda server disappear, usually never 
generating ICMP messages. Whatever we try, we never get to the point where 
a TCP connection is set up (I keep referring to "we" as it's not me who 
administers the firewall).

I compiled Amanda myself, restricting the ports to use to 45000-45100. So I 
think it should be sufficient to punch a hole in the firewall that allows 
TCP traffic from server to client within that range.

I just hope some of you can tell me I'm wrong and I need to do something 
else/more... We use Linux machines here and a commercial firewall that 
doesn't do connection tracking, unfortunately.

While I'm at it, what's the reason why the Amanda developers chose UDP for 
the first stage? Is it only the overhead TCP causes?

Thanks in advance.

Hans

______________________________________________________

 This message has been checked for all known viruses
______________________________________________________
 De informatie verzonden met dit e-mailbericht is
 uitsluitend bestemd voor de geadresseerde.
 Openbaarmaking, vermenigvuldiging, verspreiding en/of
 verstrekking van deze informatie aan derden is 
 niet toegestaan. Wij aanvaarden geen aansprakelijkheid
 voor de juiste en volledige overbrenging van de inhoud
 van een verzonden e-mail bericht, noch voor tijdige
 ontvangst ervan.
______________________________________________________

              HTTP://WWW.Syncera.NL
______________________________________________________
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I still have timeouts, Stefan G. Weichinger
Next by Date:  Re: Amanda vs firewall, Frank Smith
Previous by Thread:  I still have timeouts, Gavin Henry
Next by Thread:  Re: Amanda vs firewall, Frank Smith
Indexes:  [Date] [Thread] [Top] [All Lists]