Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:

2006-02-14 13:28:57
Subject: Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
From: Kevin Till <kevin.till AT zmanda DOT com>
To: Amanda List <amanda-users AT amanda DOT org>
Date: Tue, 14 Feb 2006 10:25:54 -0800 
Paul Bijnens wrote:

On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:



I have just edited my firewall and added a ipchain rule but I still got
an error as below:

Amanda Backup Client Hosts Check
--------------------------------
ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]




This seems to be a result of the NAT in ipchains:
it changes the source port to someting over 60000.


Here is my take on the scenario:

let's concentrate on the amdump part for the time being.

1) your Amanda Backup server is a package from SuSE, cannot be recompiled.
So first you need to find out if --with-udpportrange is compiled in with the SuSE package. To find out, do: 
  amadmin configname version |grep --with-udpportrange
If --with-udpportrange is compiled in, you need to make sure the Amanda Backup server can use those ports to connect to the Amanda Backup client. 

>> ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
this indicates that the server is trying to connect to the client using udp port 62679. 


2) there could be a NAT issue, but we need to resolve 1) first.


--Kevin







However, why is the name "fw.smtl.co.uk"?  I did not know that
ipchains used uses NAT for traffic to the firewall itself too?
Make really really sure that the amandaserver does bind to a port
from the udp-port range:
  In one window start as root:
  # tcpdump port 10080

  In another window, to the "amcheck".
And verify the that port on the amandaserver is one from 1001-1009.
This could also happen when amcheck lost the suid root bit
(but I believe that it would complain about that before you get
that far).

A possible workaround here is to recompile the
software on the client to not fail on a "non secure" port.

That notion of "secure port" (ports < 1024 require root
priviledge to open), is in these days not a strong
security check anyway, where anyone can install a workstation
or boot from a live-CD and be root to open any port < 1024.



I have setup my fw rules as below:
# Amanda Client - Enterprise random udp forks to Nemesis Server ################################################################ 
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
1001:1009 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
10080:10083  -j ACCEPT

Outgoing packets are allowed from behind our firewall and all forwaded
to our main file server that is the same server for amanda backup tape
server




I do not remember anymore, but maybe there is a possibility
to not do NAT for a certain portrange/host ?




I re compiled amanda client as below:

./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-udpportrange=1001, 1009
--with-tcpportrange=11000, 11300







--
Thank you!
Kevin Till

Amanda documentation: http://wiki.zmanda.com
Amanda forums:        http://forums.zmanda.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Release of amanda-2.5.0b2, Josef Wolf
Next by Date:  New version of amandatape script., Josef Wolf
Previous by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Next by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Chuck Amadi Systems Administrator
Indexes:  [Date] [Thread] [Top] [All Lists]