Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Amanda vs firewall

2004-03-22 13:00:28
Subject: Re: Amanda vs firewall
From: Frank Smith <fsmith AT hoovers DOT com>
To: Hans van Zijst <hzi AT syncera DOT nl>, amanda-users AT amanda DOT org
Date: Mon, 22 Mar 2004 11:56:12 -0600 
--On Monday, March 22, 2004 18:26:08 +0100 Hans van Zijst <hzi AT syncera DOT 
nl> wrote:

> I need some help configuring Amanda to backup a couple of hosts in our DMZ. 
> Been trying to get it to work for quite some time, but it just won't work. 
> Hosts in the trusted zone go like a charm, but no success on the DMZ hosts 
> so far. For some reason our firewall doesn't seem to like Amanda, which 
> could partially be attributed to the fact that it doesn't do stateful 
> inspection. I realize this question is not a hardcore Amanda thing, but 
> hopefully some of you can give me some hints anyway.
> 
> We configured the firewall to allow UDP traffic from a secure port on our 
> Amanda server in the trusted zone to port 10080 in the DMZ. This works. But 
> unfortunately UDP isn't stateful, so we had to define a new set of rules to 
> allow the replies. What we did (or think we did) is allow UDP traffic from 
> port 10080 from hosts in the DMZ to secure ports on the Amanda server. 
> Strangely enough this sometimes works, but usually doesn't. The 
> reply-packets sometimes disappear, sometimes generating an ICMP 
> "destination unreachable", but sometimes not even that. Sometimes even the 
> connections initiated by the Amanda server disappear, usually never 
> generating ICMP messages. Whatever we try, we never get to the point where 
> a TCP connection is set up (I keep referring to "we" as it's not me who 
> administers the firewall).
> 
> I compiled Amanda myself, restricting the ports to use to 45000-45100. So I 
> think it should be sufficient to punch a hole in the firewall that allows 
> TCP traffic from server to client within that range.

Besides the --with-tcpportrange= option, you probably also need the
--with-udpportrange= option as well, and open those udp ports on the
firewall.  See PORTS.USAGE in the docs directory.

Frank

> 
> I just hope some of you can tell me I'm wrong and I need to do something 
> else/more... We use Linux machines here and a commercial firewall that 
> doesn't do connection tracking, unfortunately.
> 
> While I'm at it, what's the reason why the Amanda developers chose UDP for 
> the first stage? Is it only the overhead TCP causes?
> 
> Thanks in advance.
> 
> Hans
> 
> ______________________________________________________
> 
>  This message has been checked for all known viruses
> ______________________________________________________
>  De informatie verzonden met dit e-mailbericht is
>  uitsluitend bestemd voor de geadresseerde.
>  Openbaarmaking, vermenigvuldiging, verspreiding en/of
>  verstrekking van deze informatie aan derden is 
>  niet toegestaan. Wij aanvaarden geen aansprakelijkheid
>  voor de juiste en volledige overbrenging van de inhoud
>  van een verzonden e-mail bericht, noch voor tijdige
>  ontvangst ervan.
> ______________________________________________________
> 
>               HTTP://WWW.Syncera.NL
> ______________________________________________________



-- 
Frank Smith                                      fsmith AT hoovers DOT com
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Amanda vs firewall, Hans van Zijst
Next by Date:  RE: Amanda vs firewall, donald . ritchey
Previous by Thread:  Amanda vs firewall, Hans van Zijst
Next by Thread:  Re: Amanda vs firewall, Hans van Zijst
Indexes:  [Date] [Thread] [Top] [All Lists]