OK, questions about a port through a firewall should be easily answered by
the logs. What does the firewall log say about the connection attempts by
the host(s) in question? Even my $300 Sonicwall can answer this question.
Dana Bourgeois
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Jason Lavigne
> Sent: Tuesday, November 04, 2003 3:11 PM
> To: donald.ritchey AT exeloncorp DOT com; jlb17 AT duke DOT edu
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
>
>
> All servers are in my /28 block (the one in question is .27),
>
> Well my ipfilter rules say:
>
> # amanda tape backup (tcp/udp:10080, 10082,
> 10083)(tcp:50000-500040,udp:890-899)
> pass out quick on dc1 proto tcp from any to 216.138.226.16/28
> port = 10080 flags S keep state group 20 pass out quick on
> dc1 proto tcp from any to 216.138.226.16/28 port = 10082
> flags S keep state group 20 pass out quick on dc1 proto tcp
> from any to 216.138.226.16/28 port = 10083 flags S keep state
> group 20 pass out quick on dc1 proto udp from any to
> 216.138.226.16/28 port = 10080 keep state group 20 pass out
> quick on dc1 proto udp from any to 216.138.226.16/28 port =
> 10082 keep state group 20 pass out quick on dc1 proto udp
> from any to 216.138.226.16/28 port = 10083 keep state group
> 20 pass out quick on dc1 proto tcp from any to
> 216.138.226.16/28 port 49999
> >< 50041 flags S keep state group 20
> pass out quick on dc1 proto udp from any to 216.138.226.16/28 port 889
> >< 900 keep state group 20
>
> # amanda tape backup (tcp/udp:10080, 10082,
> 10083)(tcp:50000-500040,udp:890-899)
> pass in quick on dc1 proto tcp from 216.138.226.16/28 to any
> port = 10080 flags S keep state group 30 pass in quick on dc1
> proto tcp from 216.138.226.16/28 to any port = 10082 flags S
> keep state group 30 pass in quick on dc1 proto tcp from
> 216.138.226.16/28 to any port = 10083 flags S keep state
> group 30 pass in quick on dc1 proto udp from
> 216.138.226.16/28 to any port = 10080 keep state group 30
> pass in quick on dc1 proto udp from 216.138.226.16/28 to any
> port = 10082 keep state group 30 pass in quick on dc1 proto
> udp from 216.138.226.16/28 to any port = 10083 keep state
> group 30 pass in quick on dc1 proto tcp from
> 216.138.226.16/28 to any port 49999
> >< 50041 flags S keep state group 30
> pass in quick on dc1 proto udp from 216.138.226.16/28 to any
> port 889 >< 900 keep state group 30
>
> with the rules off, all 7 servers work, with the rules on all
> but one work. I have installed a new client with the port
> ranges set (as noted in the rules) and I am seeing the same
> thing, here is the amstats
> output:
>
> samba# su amanda -c 'amstatus Daily'
> Using /var/amanda/Daily/logs/amdump from Tue Nov 4 18:02:29 EST 2003
>
> cvs.bwlogic.com:/etc 0 1150k estimate done
> cvs.bwlogic.com:/var/cvs 0 180020k estimate done
> cvs.bwlogic.com:/var/log 0 1430k estimate done
> dns1.bwlogic.com:/etc getting estimate
> dns1.bwlogic.com:/usr/local/vpopmail getting estimate
> dns1.bwlogic.com:/usr/local/www getting estimate
> dns1.bwlogic.com:/var/log getting estimate
> dns2.bwlogic.com:/etc 0 1190k estimate done
> dns2.bwlogic.com:/var/log 0 10220k estimate done
> fw.bwlogic.com:/etc 0 1510k estimate done
> fw.bwlogic.com:/var/log 0 230k estimate done
> mysql.bwlogic.com:/dbdata 0 25460k estimate done
> mysql.bwlogic.com:/etc 0 1380k estimate done
> mysql.bwlogic.com:/var/log 0 4750k estimate done
> samba.bwlogic.com:/backup/bwlogic 0 4661460k estimate done
> samba.bwlogic.com:/backup/storage 0 40k estimate done
> samba.bwlogic.com:/db 0 10k estimate done
> samba.bwlogic.com:/etc 0 1160k estimate done
> samba.bwlogic.com:/var/log 0 470k estimate done
> samba.bwlogic.com:/web 0 672810k estimate done
> www1.bwlogic.com:/etc 0 1380k estimate done
> www1.bwlogic.com:/usr/local/www 0 411780k estimate done
> www1.bwlogic.com:/var/log 0 430k estimate done
> www2.bwlogic.com:/etc 0 1380k estimate done
> www2.bwlogic.com:/usr/local/www 0 257680k estimate done
> www2.bwlogic.com:/var/log 0 930k estimate done
>
> SUMMARY part real estimated
> size size
> partition : 26
> estimated : 22 6236870k
> flush : 0 0k
> failed : 0 0k ( 0.00%)
> wait for dumping: 0 0k ( 0.00%)
> dumping to tape : 0 0k ( 0.00%)
> dumping : 0 0k 0k ( 0.00%) ( 0.00%)
> dumped : 0 0k 0k ( 0.00%) ( 0.00%)
> wait for writing: 0 0k 0k ( 0.00%) ( 0.00%)
> wait to flush : 0 0k 0k (100.00%) ( 0.00%)
> writing to tape : 0 0k 0k ( 0.00%) ( 0.00%)
> failed to tape : 0 0k 0k ( 0.00%) ( 0.00%)
> taped : 0 0k 0k ( 0.00%) ( 0.00%)
> all dumpers active
> taper idle
>
> dns1 stays at "getting estimate" for like 2 hours, then it
> times out and the backup runs. This is so odd, the second odd
> thing to happen with this server so rebuilding from scratch
> might actually be an option.
>
> Thanks for your time and reading my lengthy email, any help
> you can provide would go to good use.
>
> TIA
>
> Jay
>
>
>
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of
> donald.ritchey AT exeloncorp DOT com
> Sent: Tuesday, November 04, 2003 5:29 PM
> To: jlavigne AT bwlogic DOT com; jlb17 AT duke DOT edu
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
>
> Make sure you rebuild both client and server, since the
> server is the one that initiates the connection to the
> client. Its choice of ports must match the ones that the
> client expects to see.
>
> In general, I have found that I must make sure that both ends
> of an Amanda connection are configured consistently to have
> successful connections.
>
> You might want to set up a separate test configuration that
> uses the version of Amanda with the port range options set.
> This will allow you to verify that the selected port ranges
> work for your firewall/server/client combination without
> affecting your other servers (which are sill working
> correctly). Once your experimentation is complete, then you
> can merge the two configurations.
>
> Another avenue of exploration:
>
> Check to see that your firewall has all seven servers in the
> same rule set (it sounds to me like the last server is being
> treated differently, possibly because it is on a different
> subnet, belongs to a different department, is in a different
> risk class, etc.). If the rules are different for the
> seventh server, then a simple rule modification on the
> firewall to permit Amanda connections may resolve the entire
> issue without rebuilding Amanda.
>
> Hopefully one or more of these suggestions helps.
>
> Don
>
> Donald L. (Don) Ritchey
> E-mail: Donald.Ritchey AT exeloncorp DOT com
>
>
> -----Original Message-----
> From: Jason Lavigne [mailto:jlavigne AT bwlogic DOT com]
> Sent: Tuesday, November 04, 2003 3:34 PM
> To: 'Joshua Baker-LePain'
> Cc: amanda-users AT amanda DOT org
> Subject: RE: What ports does Amanda use?
>
>
> Should I be using
>
> ./configure --with-tcpportrange=50000,50040
> --with-udpportrange=890,899
>
> on the client, server or both?
>
> I am still confused why 6 out of 7 servers in my DMZ (behind
> a firewall) work as-is, it is just one server that is giving
> me a headache. I know it is a firewall related issue cause if
> I turn off the firewall the Amanda dump works fine on all 7
> servers, but with it on one server fails to connect. I am
> rebuilding the client first with the --with-tcp* and
> --wint-udp* options to see if this works.
>
> My Amanda server in on my private LAN connecting in to the DMZ.
>
> Jay
>
>
>
>
> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org
> [mailto:owner-amanda-users AT amanda DOT org] On > Behalf Of Joshua
> Baker-LePain
> Sent: Tuesday, November 04, 2003 3:56 PM
> To: Jason Lavigne
> Cc: amanda-users AT amanda DOT org
> Subject: Re: What ports does Amanda use?
>
> On Tue, 4 Nov 2003 at 1:47pm, Jason Lavigne wrote
>
> > Is it just tcp 10080 - 10083?
>
> Read docs/PORT.USAGE. It's udp 10080 and any unpriviledged tcp ports
> (well, 3 at a time).
>
> --
> Joshua Baker-LePain
> Department of Biomedical Engineering
> Duke University
>
>
> **************************************************************
> **********
> This e-mail and any of its attachments may contain Exelon
> Corporation proprietary information, which is privileged,
> confidential, or subject
> to copyright belonging to the Exelon Corporation family of Companies.
> This e-mail is intended solely for the use of the individual
> or entity
> to which it is addressed. If you are not the intended
> recipient of this
>
> e-mail, you are hereby notified that any dissemination, distribution,
> copying, or action taken in relation to the contents of and
> attachments
> to this e-mail is strictly prohibited and may be unlawful.
> If you have
> received this e-mail in error, please notify the sender
> immediately and
> permanently delete the original and any copy of this e-mail and any
> printout. Thank You.
> **************************************************************
> **********
>
>
|