--On Saturday, June 05, 2004 17:13:34 -0700 John Bossert <jbossert AT affidian
DOT com> wrote:
> Thanks for the note, Jon.
>
> I am looking for specifics from someone who's done this, with specifics for
> --with-udpportrange, and --with-portrange (and --with-tcpportrange if
> necessary.) Also, if this necessitates a corresponding change in
> /etc/services?
>
> If I add "--with-tcpportrange=850,859" or "--with-portrange=850-859",
> configure complains with:
>
> configure: WARNING: *** the TCP port range should be 1024 or greater in
> --with-tcpportrange
>
> So, does this imply that one (or both) of these parameters need to be set to
> a non-privileged range and (at least) TWO separate ranges opened on the
> firewall?
I'm using Amanda to back up some servers through a firewall. I configured
Amanda with --with-tcpportrange=40000,40030 --with-udpportrange=920,940.
Nothing magic about those ports, they just didn't seem likely to be in
use here. The tcp ports need to be > 1024 and the udp ports < 1024.
Somewhere in docs/PORT.USAGE it has some guidelines on how big the range
needs to be based on the number of clients backed up in parallel.
My firewall rules allow those ports between the clients and server, and also
allow udp 10080.
/etc/services needs to remain as-is.
If your firewall is running netfilter (iptables) on a recent Linux kernel
you can just compile it with Amanda support and not have to worry about
compiling Amanda with special portranges.
Watching the firewall logs while attempting a backup should show you
if there's a firewall problem, although I realize that if it's not
under your control it can be difficult to get access to the logs.
Frank
>
> Thanks,
>
> Jon LaBadie wrote:
>
>> On Sat, Jun 05, 2004 at 11:21:43AM -0700, John Bossert wrote:
>>
>>> Gentlemen (and Ladies,) I'm confused.
>>>
>>> After perusing the list archives, Googling, etc., I'm still not clear on
>>> what's necessary to establish a backup across a firewall and/or to
>>> debug the process.
>>>
>>> My firewall presently allow unfiltered egress from the Trusted segment
>>> (where the server lives) to the DMZ (where the subject client lives.)
>>> The literature suggests (to me) that the only communication initiated by
>>> the client is UDP and can be controlled with (from my .configure):
>>>
>>> --with-udpportrange=850,859
>>
>>
>>
>> i've never done this and am unsure of my answer,
>> so i'm mailing off-list.
>>
>> amanda needs some ports available for the initial contact.
>> these need to be in the special range below 1024 and i think
>> they need to be udp.
>>
>> this part you have done.
>> (note, it must be on client and server i think)
>>
>> but after the initial contact and authentication,
>> amanda also needs tcp ports in the non-special range.
>> that is where the backup travels.
>> so you will have to also open up those firewall ports
>> and configure with them.
>>
>
> --
> John BOSSERT
> Affidian Corporation
> jbossert AT affidian DOT com
> office: 206.388.0219
>
> La thiorie, c'est quand on sait tout et que rien ne fonctionne.
> La pratique, c'est quand tout fonctionne et que personne ne sait pourquoi.
> Ici, nous avons riuni thiorie et pratique : Rien ne fonctionne... et personne
> ne sait pourquoi!
> [Einstein]
|
