Hi, Frank, thanks for your work and efforts to help me with my problem. Please 
see my remarks, preceded by "***" (stupid GroupWise email client won't quote 
correctly), below. -Kevin

>>> Frank Smith <fsmith AT hoovers DOT com> 09/15/04 07:34PM >>>
--On Wednesday, September 15, 2004 15:28:21 -0400 KEVIN ZEMBOWER <KZEMBOWE AT 
jhuccp DOT org> wrote:

> The discussion's petered out on my request for which ports to ask the 
> firewall administrator to open to allow amanda to work through our firewall, 
> but I'm still hoping for an answer, as I still can't come up with one myself. 
> There was one comment that
> ports 10080-10083 are fixed, no matter what --with-???portrange switches are 
> used. Is this fact or fiction?

I think fact. Those are the ones listed in /etc/services.

*** I thought that these were set up in /etc/services based on the settings 
--with-portrange, --with-tcpportrange and --with-udpportrange, or if they're 
fixed and unchangeable. There's no 'amanda' listing in the assigned numbers in 
RFC 1700 (http://www.faqs.org/rfcs/rfc1700.html).
 
> In the spirit of re-phrasing the question, can anyone help me complete the 
> following sentence to my firewall administrator:
> Please open port numbers ____ through ____ for [UDP|TCP|both] packets 
> [from|to] my tapehost (inside fw) [to|from] my client(s).
> 
> That sentence may have to be completed more than once for each different 
> range, protocol or direction.

Usually, when discusion dies down without a clear answer it means nobody is
really sure of the exact answer, although I think someone gave you a very
good description of the backup process port usage.

***Yes, I really appreciate Michael taking the time to try to explain that to 
me. Unfortunately, I didn't understand it completely and had some follow-up 
questions, which went unanswered. My next attempt will be to look into the 
files John Jackson mentions in the port usage document, and see if I can figure 
out from the source code what ports are used. I've been putting this off, as I 
don't know C, but it's looking like this is the only way to answer the 
questions I have. Whatever I learn, I'll post back here.

I've got firewall rules that work (for me), but they may be allowing more
than absolutely necessary (i.e., some ports open bidirectionally when they
only need to be open one direction with the 'established allow' rule
covering the response packets).

In the interest of science (and my own curiosity) I've set up a packet capture
on one of my VPN boxes to log network traffic between one of my tape servers
and a remote client tonight.  Since the two servers don't normally talk with
each other except for the backup, tomorrow I should be able to see the exact
sequence of events, and since that client is a very small backup (/etc and
/vaar/spool/cron/crontabs) it shouldn't be a huge mass to wade through.

I'll let you know tomorrow what I discover.

*** Thank you so much for offering to do this. I'm anxious to learn what you 
find out.

Frank

> 
> Thanks, again, for any help.
> 
> -Kelvin
> 
> -----
> E. Kevin Zembower
> Internet Systems Group manager
> Johns Hopkins University
> Bloomberg School of Public Health
> Center for Communications Programs
> 111 Market Place, Suite 310
> Baltimore, MD  21202
> 410-659-6139
> 



-- 
Frank Smith                                      fsmith AT hoovers DOT com 
Sr. Systems Administrator                       Voice: 512-374-4673
Hoover's Online                                   Fax: 512-374-4501