Joshua Baker-LePain wrote:
On Thu, 10 Jun 2004 at 9:31am, Paul Bijnens wrote
Steven Schoch wrote:
Now we're getting somewhere. The tcpdump shows this:
15:01:56.739818 homer > marge: icmp: host homer unreachable - admin
prohibited [tos 0xc0]
My guess is that ICMP message is something to do with a firewall.
"admin prohibited" is definately a result of iptables filtering.
Have a close look in homer. Execute "iptables -L".
Maybe the solution is loading the amanda iptables module,
if that is available on the machine.
I'd be interested to see if that fixes it. My amanda server which runs
the nightlies of the (small) home partitions has been at RH9 for a while,
and has this as the only rule it needed to get amdump working:
# If we've an established session, well, okay
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
I recently moved my other amanda server (which backs up my 4.5TB of RAID
space) to RH9. The first few nights, most of the clients were failing
with estimate timeouts. But when I tested during the day (with small
partitions), everything worked. I finally decided that the estimates on
the big partitions were taking long enough that the above rule was timing
out. I couldn't afford another night of the backups failing, so I didn't
try loading the amanda module -- I just added rules to allow incoming
UDP traffic on priviledged ports from the clients.
I have been thinking about this problem, and, without any real testing
to backup my hypothesis, I believe the problem lies in the default
timeout in iptables for UDP traffic, as you decided too.
For TCP traffic, once a packet is replied, the timeout becomes very
large (5 days or so I believe). But for UDP, which is a conectionless
protocol the timeout is 180 seconds (I believe).
After this timeout the connection tracking drops the rule.
In my config, the estimates of the clients in the DMZ all take less than
2 minutes. And this works fine.
That means that the real solution is to compile amanda with a dedicated
udp range, and add that range to the firewall iptables.
--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|
