Paul Bijnens wrote:
On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:
I have just edited my firewall and added a ipchain rule but I still got
an error as below:
Amanda Backup Client Hosts Check
--------------------------------
ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
This seems to be a result of the NAT in ipchains:
it changes the source port to someting over 60000.
Here is my take on the scenario:
let's concentrate on the amdump part for the time being.
1) your Amanda Backup server is a package from SuSE, cannot be recompiled.
So first you need to find out if --with-udpportrange is compiled in
with the SuSE package. To find out, do:
amadmin configname version |grep --with-udpportrange
If --with-udpportrange is compiled in, you need to make sure the
Amanda Backup server can use those ports to connect to the Amanda Backup
client.
>> ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
this indicates that the server is trying to connect to the client using
udp port 62679.
2) there could be a NAT issue, but we need to resolve 1) first.
--Kevin
However, why is the name "fw.smtl.co.uk"? I did not know that
ipchains used uses NAT for traffic to the firewall itself too?
Make really really sure that the amandaserver does bind to a port
from the udp-port range:
In one window start as root:
# tcpdump port 10080
In another window, to the "amcheck".
And verify the that port on the amandaserver is one from 1001-1009.
This could also happen when amcheck lost the suid root bit
(but I believe that it would complain about that before you get
that far).
A possible workaround here is to recompile the
software on the client to not fail on a "non secure" port.
That notion of "secure port" (ports < 1024 require root
priviledge to open), is in these days not a strong
security check anyway, where anyone can install a workstation
or boot from a live-CD and be root to open any port < 1024.
I have setup my fw rules as below:
# Amanda Client - Enterprise random udp forks to Nemesis Server
################################################################
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
1001:1009 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
10080:10083 -j ACCEPT
Outgoing packets are allowed from behind our firewall and all forwaded
to our main file server that is the same server for amanda backup tape
server
I do not remember anymore, but maybe there is a possibility
to not do NAT for a certain portrange/host ?
I re compiled amanda client as below:
./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-udpportrange=1001, 1009
--with-tcpportrange=11000, 11300
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums: http://forums.zmanda.com
|