RE: What ports does Amanda use?

OK, questions about a port through a firewall should be easily answered by
the logs.  What does the firewall log say about the connection attempts by
the host(s) in question?  Even my $300 Sonicwall can answer this question.


Dana Bourgeois


> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org 
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Jason Lavigne
> Sent: Tuesday, November 04, 2003 3:11 PM
> To: donald.ritchey AT exeloncorp DOT com; jlb17 AT duke DOT edu
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
> 
> 
> All servers are in my /28 block (the one in question is .27), 
> 
> Well my ipfilter rules say:
> 
> # amanda tape backup (tcp/udp:10080, 10082,
> 10083)(tcp:50000-500040,udp:890-899)
> pass out quick on dc1 proto tcp from any to 216.138.226.16/28 
> port = 10080 flags S keep state group 20 pass out quick on 
> dc1 proto tcp from any to 216.138.226.16/28 port = 10082 
> flags S keep state group 20 pass out quick on dc1 proto tcp 
> from any to 216.138.226.16/28 port = 10083 flags S keep state 
> group 20 pass out quick on dc1 proto udp from any to 
> 216.138.226.16/28 port = 10080 keep state group 20 pass out 
> quick on dc1 proto udp from any to 216.138.226.16/28 port = 
> 10082 keep state group 20 pass out quick on dc1 proto udp 
> from any to 216.138.226.16/28 port = 10083 keep state group 
> 20 pass out quick on dc1 proto tcp from any to 
> 216.138.226.16/28 port 49999
> >< 50041 flags S keep state group 20
> pass out quick on dc1 proto udp from any to 216.138.226.16/28 port 889
> >< 900 keep state group 20
> 
> # amanda tape backup (tcp/udp:10080, 10082,
> 10083)(tcp:50000-500040,udp:890-899)
> pass in quick on dc1 proto tcp from 216.138.226.16/28 to any 
> port = 10080 flags S keep state group 30 pass in quick on dc1 
> proto tcp from 216.138.226.16/28 to any port = 10082 flags S 
> keep state group 30 pass in quick on dc1 proto tcp from 
> 216.138.226.16/28 to any port = 10083 flags S keep state 
> group 30 pass in quick on dc1 proto udp from 
> 216.138.226.16/28 to any port = 10080 keep state group 30 
> pass in quick on dc1 proto udp from 216.138.226.16/28 to any 
> port = 10082 keep state group 30 pass in quick on dc1 proto 
> udp from 216.138.226.16/28 to any port = 10083 keep state 
> group 30 pass in quick on dc1 proto tcp from 
> 216.138.226.16/28 to any port 49999
> >< 50041 flags S keep state group 30
> pass in quick on dc1 proto udp from 216.138.226.16/28 to any 
> port 889 >< 900 keep state group 30
> 
> with the rules off, all 7 servers work, with the rules on all 
> but one work. I have installed a new client with the port 
> ranges set (as noted in the rules) and I am seeing the same 
> thing, here is the amstats
> output:
> 
> samba# su amanda -c 'amstatus Daily'
> Using /var/amanda/Daily/logs/amdump from Tue Nov  4 18:02:29 EST 2003
> 
> cvs.bwlogic.com:/etc                     0    1150k estimate done
> cvs.bwlogic.com:/var/cvs                 0  180020k estimate done
> cvs.bwlogic.com:/var/log                 0    1430k estimate done
> dns1.bwlogic.com:/etc                               getting estimate
> dns1.bwlogic.com:/usr/local/vpopmail                getting estimate
> dns1.bwlogic.com:/usr/local/www                     getting estimate
> dns1.bwlogic.com:/var/log                           getting estimate
> dns2.bwlogic.com:/etc                    0    1190k estimate done
> dns2.bwlogic.com:/var/log                0   10220k estimate done
> fw.bwlogic.com:/etc                      0    1510k estimate done
> fw.bwlogic.com:/var/log                  0     230k estimate done
> mysql.bwlogic.com:/dbdata                0   25460k estimate done
> mysql.bwlogic.com:/etc                   0    1380k estimate done
> mysql.bwlogic.com:/var/log               0    4750k estimate done
> samba.bwlogic.com:/backup/bwlogic        0 4661460k estimate done
> samba.bwlogic.com:/backup/storage        0      40k estimate done
> samba.bwlogic.com:/db                    0      10k estimate done
> samba.bwlogic.com:/etc                   0    1160k estimate done
> samba.bwlogic.com:/var/log               0     470k estimate done
> samba.bwlogic.com:/web                   0  672810k estimate done
> www1.bwlogic.com:/etc                    0    1380k estimate done
> www1.bwlogic.com:/usr/local/www          0  411780k estimate done
> www1.bwlogic.com:/var/log                0     430k estimate done
> www2.bwlogic.com:/etc                    0    1380k estimate done
> www2.bwlogic.com:/usr/local/www          0  257680k estimate done
> www2.bwlogic.com:/var/log                0     930k estimate done
> 
> SUMMARY          part     real estimated
>                           size      size
> partition       :  26
> estimated       :  22            6236870k
> flush           :   0        0k
> failed          :   0                  0k           (  0.00%)
> wait for dumping:   0                  0k           (  0.00%)
> dumping to tape :   0                  0k           (  0.00%)
> dumping         :   0        0k        0k (  0.00%) (  0.00%)
> dumped          :   0        0k        0k (  0.00%) (  0.00%)
> wait for writing:   0        0k        0k (  0.00%) (  0.00%)
> wait to flush   :   0        0k        0k (100.00%) (  0.00%)
> writing to tape :   0        0k        0k (  0.00%) (  0.00%)
> failed to tape  :   0        0k        0k (  0.00%) (  0.00%)
> taped           :   0        0k        0k (  0.00%) (  0.00%)
> all dumpers active
> taper idle
> 
> dns1 stays at "getting estimate" for like 2 hours, then it 
> times out and the backup runs. This is so odd, the second odd 
> thing to happen with this server so rebuilding from scratch 
> might actually be an option.
> 
> Thanks for your time and reading my lengthy email, any help 
> you can provide would go to good use.
> 
> TIA
> 
> Jay
> 
> 
> 
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org 
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of 
> donald.ritchey AT exeloncorp DOT com
> Sent: Tuesday, November 04, 2003 5:29 PM
> To: jlavigne AT bwlogic DOT com; jlb17 AT duke DOT edu
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
> 
> Make sure you rebuild both client and server, since the 
> server is the one that initiates the connection to the 
> client.  Its choice of ports must match the ones that the 
> client expects to see.
> 
> In general, I have found that I must make sure that both ends 
> of an Amanda connection are configured consistently to have 
> successful connections.
> 
> You might want to set up a separate test configuration that 
> uses the version of Amanda with the port range options set.  
> This will allow you to verify that the selected port ranges 
> work for your firewall/server/client combination without 
> affecting your other servers (which are sill working 
> correctly).  Once your experimentation is complete, then you 
> can merge the two configurations.
> 
> Another avenue of exploration:
> 
> Check to see that your firewall has all seven servers in the 
> same rule set (it sounds to me like the last server is being 
> treated differently, possibly because it is on a different 
> subnet, belongs to a different department, is in a different 
> risk class, etc.).  If the rules are different for the 
> seventh server, then a simple rule modification on the 
> firewall to permit Amanda connections may resolve the entire 
> issue without rebuilding Amanda.
> 
> Hopefully one or more of these suggestions helps.
> 
> Don
> 
> Donald L. (Don) Ritchey
> E-mail:  Donald.Ritchey AT exeloncorp DOT com
> 
> 
> -----Original Message-----
> From: Jason Lavigne [mailto:jlavigne AT bwlogic DOT com]
> Sent: Tuesday, November 04, 2003 3:34 PM
> To: 'Joshua Baker-LePain'
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
> 
> 
> Should I be using 
> 
> ./configure --with-tcpportrange=50000,50040 
> --with-udpportrange=890,899
> 
> on the client, server or both?
> 
> I am still confused why 6 out of 7 servers in my DMZ (behind 
> a firewall) work as-is, it is just one server that is giving 
> me a headache. I know it is a firewall related issue cause if 
> I turn off the firewall the Amanda dump works fine on all 7 
> servers, but with it on one server fails to connect. I am 
> rebuilding the client first with the --with-tcp* and
> --wint-udp* options to see if this works.
> 
> My Amanda server in on my private LAN connecting in to the DMZ.
> 
> Jay
> 
> 
> 
> 
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org 
> [mailto:owner-amanda-users AT amanda DOT org] On > Behalf Of Joshua 
> Baker-LePain
> Sent: Tuesday, November 04, 2003 3:56 PM
> To: Jason Lavigne
> Cc: amanda-users AT amanda DOT org
> Subject: Re: What ports does Amanda use?
> 
> On Tue, 4 Nov 2003 at 1:47pm, Jason Lavigne wrote
> 
> > Is it just tcp 10080 - 10083?
> 
> Read docs/PORT.USAGE.  It's udp 10080 and any unpriviledged tcp ports 
> (well, 3 at a time).
> 
> -- 
> Joshua Baker-LePain
> Department of Biomedical Engineering
> Duke University
> 
> 
> **************************************************************
> **********
> This e-mail and any of its attachments may contain Exelon 
> Corporation proprietary information, which is privileged, 
> confidential, or subject 
> to copyright belonging to the Exelon Corporation family of Companies. 
> This e-mail is intended solely for the use of the individual 
> or entity 
> to which it is addressed.  If you are not the intended 
> recipient of this
> 
> e-mail, you are hereby notified that any dissemination, distribution, 
> copying, or action taken in relation to the contents of and 
> attachments 
> to this e-mail is strictly prohibited and may be unlawful.  
> If you have 
> received this e-mail in error, please notify the sender 
> immediately and 
> permanently delete the original and any copy of this e-mail and any 
> printout. Thank You.
> **************************************************************
> **********
> 
>