Barry A. Trent wrote:
Iptables firewalls on a newer kernel has Amanda support built in,
otherwise you either need gaping holes in the firewall or need to
compile with the portrange options. I agree that it should be a
conf file setting, but its not.
How new a kernel are we talking about? Is there specific support for
Amanda, or are you just referring to the "stateful packet inspection"
features of iptables?
It depends on how tight your firewall is configured, and where the
server is located.
Lets asume this topology (ascii graphics -- assumes constant width
font to view):
Internet
|
|zone.ext
|
+---+---+ zone.dmz
| FW +--------------- Webserver etc.
+---+---+
|
|zone.int
|
Inside
Many firewalls have the zone.dmz and zone.int merged into one, e.g.
most SOHO routers with builtin firewall do this.
With "stateful packet inspection", a common configuration is to block
all incoming traffic from zone.ext, except some well-defined ip/port
combinations which are redirected to the appropriate hosts in the DMZ.
Traffic from zone.int to zone.dmz is usually allowed for some hosts only.
Traffic initiated in zone.int may pass through the firewall to zone.ext
without restrictions (except maybe a few ports, like e.g. tftp, KaZaa,
etc.). This is the more relaxed setup, that many people prefer.
It gives reasonable security, and reasonable flexibility.
The network traffic in amanda is always initiated by the server.
If your amanda server is in zone.int, then you have to allow almost
all ports from that server to zone.dmz. In that case you don't need
to restrict the portrange. The reply traffic is handled by the
stateful firewall.
From a security standpoint, it means that if your amanda-server is
compromised, then crackers have get access to the dmz.
If you want to tighten the firewall so that even only certain ports
can be used between zone.int and zone.dmz (even for the amanda-server),
then you'll need to specify the portrange, and open only those ports.
If you have loaded the special amanda-iptables modules, then you only
need to open the amanda 10080/udp port from server to client(s).
All the rest is handled by the stateful firewall, even without
portranges.
An stateful firewall on the host itself (like iptables), can handle
amanda when you open up the 10080/udp and 1024-and-up/tcp to the
amanda server.
--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|