On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:
I have just edited my firewall and added a ipchain rule but I still got
an error as below:
Amanda Backup Client Hosts Check
--------------------------------
ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
This seems to be a result of the NAT in ipchains:
it changes the source port to someting over 60000.
However, why is the name "fw.smtl.co.uk"? I did not know that
ipchains used uses NAT for traffic to the firewall itself too?
Make really really sure that the amandaserver does bind to a port
from the udp-port range:
In one window start as root:
# tcpdump port 10080
In another window, to the "amcheck".
And verify the that port on the amandaserver is one from 1001-1009.
This could also happen when amcheck lost the suid root bit
(but I believe that it would complain about that before you get
that far).
A possible workaround here is to recompile the
software on the client to not fail on a "non secure" port.
That notion of "secure port" (ports < 1024 require root
priviledge to open), is in these days not a strong
security check anyway, where anyone can install a workstation
or boot from a live-CD and be root to open any port < 1024.
I have setup my fw rules as below:
# Amanda Client - Enterprise random udp forks to Nemesis Server
################################################################
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
1001:1009 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
10080:10083 -j ACCEPT
Outgoing packets are allowed from behind our firewall and all forwaded
to our main file server that is the same server for amanda backup tape
server
I do not remember anymore, but maybe there is a possibility
to not do NAT for a certain portrange/host ?
I re compiled amanda client as below:
./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-udpportrange=1001, 1009
--with-tcpportrange=11000, 11300
--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|