--On Monday, March 22, 2004 18:26:08 +0100 Hans van Zijst <hzi AT syncera DOT
nl> wrote:
> I need some help configuring Amanda to backup a couple of hosts in our DMZ.
> Been trying to get it to work for quite some time, but it just won't work.
> Hosts in the trusted zone go like a charm, but no success on the DMZ hosts
> so far. For some reason our firewall doesn't seem to like Amanda, which
> could partially be attributed to the fact that it doesn't do stateful
> inspection. I realize this question is not a hardcore Amanda thing, but
> hopefully some of you can give me some hints anyway.
>
> We configured the firewall to allow UDP traffic from a secure port on our
> Amanda server in the trusted zone to port 10080 in the DMZ. This works. But
> unfortunately UDP isn't stateful, so we had to define a new set of rules to
> allow the replies. What we did (or think we did) is allow UDP traffic from
> port 10080 from hosts in the DMZ to secure ports on the Amanda server.
> Strangely enough this sometimes works, but usually doesn't. The
> reply-packets sometimes disappear, sometimes generating an ICMP
> "destination unreachable", but sometimes not even that. Sometimes even the
> connections initiated by the Amanda server disappear, usually never
> generating ICMP messages. Whatever we try, we never get to the point where
> a TCP connection is set up (I keep referring to "we" as it's not me who
> administers the firewall).
>
> I compiled Amanda myself, restricting the ports to use to 45000-45100. So I
> think it should be sufficient to punch a hole in the firewall that allows
> TCP traffic from server to client within that range.
Besides the --with-tcpportrange= option, you probably also need the
--with-udpportrange= option as well, and open those udp ports on the
firewall. See PORTS.USAGE in the docs directory.
Frank
>
> I just hope some of you can tell me I'm wrong and I need to do something
> else/more... We use Linux machines here and a commercial firewall that
> doesn't do connection tracking, unfortunately.
>
> While I'm at it, what's the reason why the Amanda developers chose UDP for
> the first stage? Is it only the overhead TCP causes?
>
> Thanks in advance.
>
> Hans
>
> ______________________________________________________
>
> This message has been checked for all known viruses
> ______________________________________________________
> De informatie verzonden met dit e-mailbericht is
> uitsluitend bestemd voor de geadresseerde.
> Openbaarmaking, vermenigvuldiging, verspreiding en/of
> verstrekking van deze informatie aan derden is
> niet toegestaan. Wij aanvaarden geen aansprakelijkheid
> voor de juiste en volledige overbrenging van de inhoud
> van een verzonden e-mail bericht, noch voor tijdige
> ontvangst ervan.
> ______________________________________________________
>
> HTTP://WWW.Syncera.NL
> ______________________________________________________
--
Frank Smith fsmith AT hoovers DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
|