Kaushal Shriyan wrote:
Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out
The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .
If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda".
Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/amanda-users AT amanda DOT org/msg26094.html
I've not yet verified this.
Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a "reserved" one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */
It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.
With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)
--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|