Hans:
Did you also allow a range of UDP ports for Amanda to use? There is a
configuration parameter (--udpportrange=xxx,yyy) that specifies the set
of UDP ports for Amanda to use. We chose the range of 890-899, as we
had nothing else specified to run in that range of ports. The firewall
is set to allow connections from the DMZ clients to the Amanda server
and also in the reverse direction. How this is set up will depend on
your firewall.
All of this setup was about a year ago, so I forget some of the details
of the use for these ports, but Amanda was happily backing up systems
through those ports until we retired the system that needed the connection.
Questions?
Donald L. (Don) Ritchey
E-mail: Donald.Ritchey AT exeloncorp DOT com
-----Original Message-----
From: Hans van Zijst [mailto:hzi AT syncera DOT nl]
Sent: Monday, March 22, 2004 11:26 AM
To: amanda-users AT amanda DOT org
Subject: Amanda vs firewall
I need some help configuring Amanda to backup a couple of hosts in our DMZ.
Been trying to get it to work for quite some time, but it just won't work.
Hosts in the trusted zone go like a charm, but no success on the DMZ hosts
so far. For some reason our firewall doesn't seem to like Amanda, which
could partially be attributed to the fact that it doesn't do stateful
inspection. I realize this question is not a hardcore Amanda thing, but
hopefully some of you can give me some hints anyway.
We configured the firewall to allow UDP traffic from a secure port on our
Amanda server in the trusted zone to port 10080 in the DMZ. This works. But
unfortunately UDP isn't stateful, so we had to define a new set of rules to
allow the replies. What we did (or think we did) is allow UDP traffic from
port 10080 from hosts in the DMZ to secure ports on the Amanda server.
Strangely enough this sometimes works, but usually doesn't. The
reply-packets sometimes disappear, sometimes generating an ICMP
"destination unreachable", but sometimes not even that. Sometimes even the
connections initiated by the Amanda server disappear, usually never
generating ICMP messages. Whatever we try, we never get to the point where
a TCP connection is set up (I keep referring to "we" as it's not me who
administers the firewall).
I compiled Amanda myself, restricting the ports to use to 45000-45100. So I
think it should be sufficient to punch a hole in the firewall that allows
TCP traffic from server to client within that range.
I just hope some of you can tell me I'm wrong and I need to do something
else/more... We use Linux machines here and a commercial firewall that
doesn't do connection tracking, unfortunately.
While I'm at it, what's the reason why the Amanda developers chose UDP for
the first stage? Is it only the overhead TCP causes?
Thanks in advance.
Hans
______________________________________________________
This message has been checked for all known viruses
______________________________________________________
De informatie verzonden met dit e-mailbericht is
uitsluitend bestemd voor de geadresseerde.
Openbaarmaking, vermenigvuldiging, verspreiding en/of
verstrekking van deze informatie aan derden is
niet toegestaan. Wij aanvaarden geen aansprakelijkheid
voor de juiste en volledige overbrenging van de inhoud
van een verzonden e-mail bericht, noch voor tijdige
ontvangst ervan.
______________________________________________________
HTTP://WWW.Syncera.NL
______________________________________________________
************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Exelon Corporation family of Companies.
This e-mail is intended solely for the use of the individual or entity
to which it is addressed. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and attachments
to this e-mail is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please notify the sender immediately and
permanently delete the original and any copy of this e-mail and any
printout. Thank You.
************************************************************************
|