Kevin:
Sorry about responding late to this post, I have been away from the mailing
list for a while, so this may be a stale issue. Be sure and study the
docs/PORT.USAGE file in the Amanda distribution for a detailed explanation
of how to set up your ports.
There appears to be confusion about the use of port ranges through the
firewall. Amanda needs three sets of ports opened in a firewall:
UDP/10080, TCP/10082, TCP/10083 -> the well-known services that
connect clients to Amanda services
the UDP port Range -> a set of ports for Amanda to exchange
information between the clients and the server
the TCP port Range -> a set of ports to pass the backup data
streams between the Amanda clients and servers
During a session, the Amanda server connects to the Amanda UDP port on the
client to perform an operation, the request originates from one of the UDP
ports in the UDPPORTRANGE. Amanda uses this connection to send commands to
the remote client and receive reports of results on the client.
To perform a backup, Amanda sends the client a set of three ports in the
TCPPORTRANGE that will be used for standard input, output, and error
streams. Amanda uses the three ports to send/receive information with the
client. The range of addresses needs to be large enough to conduct as many
remote sessions as needed by the configuration going through the firewall.
For my firewall, I have the following ports open:
To each client:
UDP 10080 - Amanda control port
TCP 10082 - Amanda index service
TCP 10083 - Amanda tape service
UDP 880-899 - for bi-directional status data flows
TCP 50000-50040 - for bi-directional backup stream flows
From clients to the server:
UDP 10080 - Amanda control port
TCP 10082 - Amanda index service
TCP 10083 - Amanda tape service
UDP 880-899 - for bi-directional status data flows
Return connections for each established outbound connection
Since I don't control the firewall, I have to depend on rule and port
listings from the Firewall group. Good communication of the contents of the
docs/PORT.USAGE file from the Amanda distribution file tree is essential for
the Firewall Team to be able to setup the firewall to correctly pass the
Amanda data streams.
Best of luck with Amanda and hopefully this will get your moving,
Donald L. (Don) Ritchey
Information Technology
Exelon Corporation
-----Original Message-----
From: KEVIN ZEMBOWER [mailto:KZEMBOWE AT jhuccp DOT org]
Sent: Wednesday, August 18, 2004 3:40 PM
To: amanda-users AT amanda DOT org
Subject: Another 'Amanda through firewall' problem
Two years ago, I wrote here about problems getting Amanda to work through a
firewall using NAT which couldn't be turned-off. I finally gave up in
frustration, despite the helpful advice of the folks here, and set up two
separate backup systems, one inside and outside the firewall. Adding to my
frustration is the fact that I don't administer the firewall, and can't
verify directly that what I requested was implemented. Now, I'm trying again
to back up all my host with just one Amanda system.
My tapehost 'centernet' is trying to back up hosts 'admin' and
'mailinglists' in addition to itself, inside the firewall, and hosts 'www'
and 'real' outside the firewall.
I've read and tried to follow the advice given to others in this situation.
I changed the file common-src/security.c to comment out the section where
the port number is checked. I also used the script, first given here, pasted
in at the end of this note, to configure Amanda on both the server and the
clients. I have the new Amanda system (tapehost inside the firewall) working
on all the other hosts inside the firewall, but it times out with the hosts
outside the firewall.
When I amcheck it, I don't get anything written in either the working or
non-working clients, in either /tmp/Amanda or /tmp/Amanda-dbg.
Can anyone suggest any diagnostic tools or methods that I can use to verify
that the firewall is set up the way I requested? I've tried to use 'netcat'
in the past to verify proper transmission through a firewall, but don't
understand how I could use it in this case, as I don't know what port the
firewall will NAT the request to.
I'm not getting any diagnostic messages in any of the logs I've looked at,
on either the host or clients.
Any suggestions? Thanks for all your help and advice.
-Kevin Zembower
=============================================
Amanda@cn2:~$ cat configure_amanda.sh
#!/bin/sh
# since I'm always forgetting to su amanda...
if [ `whoami` != 'amanda' ]; then
echo
echo "!!!!!!!!!!!! Warning !!!!!!!!!!!!"
echo "Amanda needs to be configured and built by the user amanda,"
echo "but must be installed by user root."
echo
exit 1
fi
echo "!!!!!!!!!!!! Warning !!!!!!!!!!!!"
echo "Did you remember to make the changes in common_src/security.c"
echo "to disable the port check, to allow amanda to work through a"
echo "NATted firewall like CCP's?"
echo
make clean
rm -f config.status config.cache
../configure --with-user=amanda \
--with-group=disk \
--with-owner=amanda \
--with-tape-device=/dev/nst0 \
--prefix=/usr/local \
--with-portrange=10080,10083 \
--with-tcpportrange=10080,10083 \
--with-udpportrange=850,854 \
--with-debugging=/tmp/amanda-dbg/ \
--with-config=DBackup \
--with-smbclient=/usr/bin/smbclient \
--with-configdir=/etc/amanda
amanda@cn2:~$
************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Exelon Corporation family of Companies.
This e-mail is intended solely for the use of the individual or entity
to which it is addressed. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and attachments
to this e-mail is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please notify the sender immediately and
permanently delete the original and any copy of this e-mail and any
printout. Thank You.
************************************************************************
|