Since you are using amanda-2.5.2p1, I suggest you use the bsdtcp auth.
It will require no firewall rules.

To use bsdtcp auth:
 - change your dumptype to have: auth "bsdtcp"
 - change your amanda xinetd configuration:
       socket_type             = stream
       protocol                = tcp
       wait                    = no
       server_args             = -auth=bsdtcp amdump amindexd amidxtaped

Jean-Louis

Marc Muehlfeld wrote:

Hi,

Charles Stroom schrieb:
> amcheck reports no problem.

amcheck doesn't use the full source/destination portrange like amdump.



> On the client, I have opened TCP/UDP port 10080, and TCP
> ports 10082 and 10083, because I seem to have seen something like that
> when googling.

You need only 10080 on the client. 10082 (amandaidx) and 10083 (amidxtape) you have on your index-/tapeserver.

But also the server connects do different ports. You can limit this for a better and more tight firewall-configuration when you set --with-portrange and --with-udpportrange at configure. I used

./configure ..... --with-portrange=50000,50150 --with-udpportrange=850,900

And at a iptables protected machine you have to set it like this:

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \

--source $BAKSERV --destination $LAN_IP --protocol udp --sport 850:900 \

   --dport 10080 --jump ACCEPT

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
   --source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
   --sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
   --source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
   --sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT

Just replace the variables with your settings/variables.

A different way is to use the specific netfilter modules for handling amanda's connections (ip_conntrack_amanda, ip_nat_amanda).

Regards
Marc