Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: firewall/nat issues

2005-06-28 15:25:26
Subject: Re: firewall/nat issues
From: Eric Dantan Rzewnicki <rzewnickie AT rfa DOT org>
To: "Stefan G. Weichinger" <sgw AT amanda DOT org>
Date: Tue, 28 Jun 2005 15:09:42 -0400 
On Tue, Jun 28, 2005 at 04:30:17PM +0200, Stefan G. Weichinger wrote:
> Eric Dantan Rzewnicki wrote:
> >Is this entry in the FAQ a complete description of the network
> >interactions between amanda client and amanda server?
> >http://amanda.sourceforge.net/fom-serve/cache/139.html
> >I'm not relishing the thought of working this out in ipchains ...
> >I'm pushing to (finally) move to iptables. But, I may have to make it
> >work with ipchains for now, so I need to get a clear understanding of
> >what type of which ports need to be openned up.
> For iptables:
> http://www.amanda.org/docs/faq.html#id2555136
> and the main info:
> http://www.amanda.org/docs/portusage.html
> I'd also recommend to search the archives for terms like 
> iptables/ipchains/firewall, there have been some threads lately ...

Yes. Thank you. I've read all of that and now have re-read it. I think
the best answer is to get our firewall updated to using iptables and the
amanda connection tracking module. But, that is a separate project with
separate management decisions to be made.

I don't think I can get this to work in a non-ugly way with our current
ipchains, linux kernel v2.2 based solution.

The initial udp packet from the amanda server on internal lan to the
amanda client on the external lan gets there, but is masqueraded to a
high port by the firewall. So, the amandad on the client says:
ERROR: client.dom.tld : [host router.dom.tld: port 64781 not secure]

As far as I can figure out there isn't a way for me to prevent the
source port from being masqueraded using ipchains. Please correct me if
I am wrong.

-- 
Eric Dantan Rzewnicki  |  Systems Administrator
Technical Operations Division  |  Radio Free Asia
2025 M Street, NW  |  Washington, DC 20036  |  202-530-4900
CONFIDENTIAL COMMUNICATION
This e-mail message is intended only for the use of the addressee and
may contain information that is privileged and confidential. Any 
unauthorized dissemination, distribution, or copying is strictly 
prohibited. If you receive this transmission in error, please contact
network AT rfa DOT org.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: dump options, Jon LaBadie
Next by Date:  Re: firewall/nat issues, Frank Smith
Previous by Thread:  Re: firewall/nat issues, Stefan G. Weichinger
Next by Thread:  Re: firewall/nat issues, Frank Smith
Indexes:  [Date] [Thread] [Top] [All Lists]