Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:

2006-02-14 11:24:04
Subject: Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
From: Paul Bijnens <paul.bijnens AT xplanation DOT com>
To: chuck AT smtl.co DOT uk
Date: Tue, 14 Feb 2006 17:19:32 +0100 
On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:


I have just edited my firewall and added a ipchain rule but I still got
an error as below:

Amanda Backup Client Hosts Check
--------------------------------
ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]



This seems to be a result of the NAT in ipchains:
it changes the source port to someting over 60000.

However, why is the name "fw.smtl.co.uk"?  I did not know that
ipchains used uses NAT for traffic to the firewall itself too?
Make really really sure that the amandaserver does bind to a port
from the udp-port range:
  In one window start as root:
  # tcpdump port 10080

  In another window, to the "amcheck".
And verify the that port on the amandaserver is one from 1001-1009.
This could also happen when amcheck lost the suid root bit
(but I believe that it would complain about that before you get
that far).

A possible workaround here is to recompile the
software on the client to not fail on a "non secure" port.

That notion of "secure port" (ports < 1024 require root
priviledge to open), is in these days not a strong
security check anyway, where anyone can install a workstation
or boot from a live-CD and be root to open any port < 1024.



I have setup my fw rules as below:
# Amanda Client - Enterprise random udp forks to Nemesis Server ################################################################ 
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
1001:1009 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
10080:10083  -j ACCEPT

Outgoing packets are allowed from behind our firewall and all forwaded
to our main file server that is the same server for amanda backup tape
server



I do not remember anymore, but maybe there is a possibility
to not do NAT for a certain portrange/host ?




I re compiled amanda client as below:

./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-udpportrange=1001, 1009
--with-tcpportrange=11000, 11300



--
Paul Bijnens, xplanation Technology Services        Tel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM    Fax  +32 16 397.512
http://www.xplanation.com/          email:  Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *
***********************************************************************
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Chuck Amadi Systems Administrator
Next by Date:  Re: Release of amanda-2.5.0b2, Josef Wolf
Previous by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Chuck Amadi Systems Administrator
Next by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Kevin Till
Indexes:  [Date] [Thread] [Top] [All Lists]