Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Amanda vs firewall

2004-03-22 14:20:51
Subject: RE: Amanda vs firewall
From: donald.ritchey AT exeloncorp DOT com
To: hzi AT syncera DOT nl
Date: Mon, 22 Mar 2004 13:15:55 -0600 
Hans:

Did you also allow a range of UDP ports for Amanda to use?  There is a 
configuration parameter (--udpportrange=xxx,yyy) that specifies the set 
of UDP ports for Amanda to use.  We chose the range of 890-899, as we 
had nothing else specified to run in that range of ports.  The firewall 
is set to allow connections from the DMZ clients to the Amanda server 
and also in the reverse direction.  How this is set up will depend on 
your firewall.  

All of this setup was about a year ago, so I forget some of the details 
of the use for these ports, but Amanda was happily backing up systems 
through those ports until we retired the system that needed the connection.

Questions?

Donald L. (Don) Ritchey
E-mail:  Donald.Ritchey AT exeloncorp DOT com


-----Original Message-----
From: Hans van Zijst [mailto:hzi AT syncera DOT nl]
Sent: Monday, March 22, 2004 11:26 AM
To: amanda-users AT amanda DOT org
Subject: Amanda vs firewall


I need some help configuring Amanda to backup a couple of hosts in our DMZ. 
Been trying to get it to work for quite some time, but it just won't work. 
Hosts in the trusted zone go like a charm, but no success on the DMZ hosts 
so far. For some reason our firewall doesn't seem to like Amanda, which 
could partially be attributed to the fact that it doesn't do stateful 
inspection. I realize this question is not a hardcore Amanda thing, but 
hopefully some of you can give me some hints anyway.

We configured the firewall to allow UDP traffic from a secure port on our 
Amanda server in the trusted zone to port 10080 in the DMZ. This works. But 
unfortunately UDP isn't stateful, so we had to define a new set of rules to 
allow the replies. What we did (or think we did) is allow UDP traffic from 
port 10080 from hosts in the DMZ to secure ports on the Amanda server. 
Strangely enough this sometimes works, but usually doesn't. The 
reply-packets sometimes disappear, sometimes generating an ICMP 
"destination unreachable", but sometimes not even that. Sometimes even the 
connections initiated by the Amanda server disappear, usually never 
generating ICMP messages. Whatever we try, we never get to the point where 
a TCP connection is set up (I keep referring to "we" as it's not me who 
administers the firewall).

I compiled Amanda myself, restricting the ports to use to 45000-45100. So I 
think it should be sufficient to punch a hole in the firewall that allows 
TCP traffic from server to client within that range.

I just hope some of you can tell me I'm wrong and I need to do something 
else/more... We use Linux machines here and a commercial firewall that 
doesn't do connection tracking, unfortunately.

While I'm at it, what's the reason why the Amanda developers chose UDP for 
the first stage? Is it only the overhead TCP causes?

Thanks in advance.

Hans

______________________________________________________

 This message has been checked for all known viruses
______________________________________________________
 De informatie verzonden met dit e-mailbericht is
 uitsluitend bestemd voor de geadresseerde.
 Openbaarmaking, vermenigvuldiging, verspreiding en/of
 verstrekking van deze informatie aan derden is 
 niet toegestaan. Wij aanvaarden geen aansprakelijkheid
 voor de juiste en volledige overbrenging van de inhoud
 van een verzonden e-mail bericht, noch voor tijdige
 ontvangst ervan.
______________________________________________________

              HTTP://WWW.Syncera.NL
______________________________________________________


************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject 
to copyright belonging to the Exelon Corporation family of Companies. 
This e-mail is intended solely for the use of the individual or entity 
to which it is addressed.  If you are not the intended recipient of this 
e-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments 
to this e-mail is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please notify the sender immediately and 
permanently delete the original and any copy of this e-mail and any 
printout. Thank You.
************************************************************************
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Amanda vs firewall, Frank Smith
Next by Date:  Re: I still have timeouts, Gene Heskett
Previous by Thread:  Re: Amanda vs firewall, Hans van Zijst
Next by Thread:  amanda and firewall, pascal thomas
Indexes:  [Date] [Thread] [Top] [All Lists]