Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:

2006-02-16 07:49:00
Subject: Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
From: Chuck Amadi Systems Administrator <chuck AT smtl.co DOT uk>
To: Amanda List <amanda-users AT amanda DOT org>
Date: Thu, 16 Feb 2006 12:39:20 +0000 
Hi

Yesterday Someone posted a amadmin command to egrep
--with-udpportrange=NNNN,NNNN
So I can check my tape server.

Please could you resend the amadmin ConfigName | egrep -i
--with-udpportrange=1001,1009
something like that thx.

amadmin <conf> <command> {<args>} ...


I also run the tcpdump port 10080 on the amanda client and then on the
amanda tape server  on amcheck ConfigName and I could see that the port
on my main tape server was 957 which is privileged port.

The port was not 1001, 1009 on the amanda tape server.

Cheers


On Tue, 2006-02-14 at 17:19 +0100, Paul Bijnens wrote:
> On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:
> > 
> > I have just edited my firewall and added a ipchain rule but I still got
> > an error as below:
> > 
> > Amanda Backup Client Hosts Check
> > --------------------------------
> > ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
> 
> 
> This seems to be a result of the NAT in ipchains:
> it changes the source port to someting over 60000.
> 
> However, why is the name "fw.smtl.co.uk"?  I did not know that
> ipchains used uses NAT for traffic to the firewall itself too?
> Make really really sure that the amandaserver does bind to a port
> from the udp-port range:
>    In one window start as root:
>    # tcpdump port 10080
> 
>    In another window, to the "amcheck".
> And verify the that port on the amandaserver is one from 1001-1009.
> This could also happen when amcheck lost the suid root bit
> (but I believe that it would complain about that before you get
> that far).
> 
> A possible workaround here is to recompile the
> software on the client to not fail on a "non secure" port.
> 
> That notion of "secure port" (ports < 1024 require root
> priviledge to open), is in these days not a strong
> security check anyway, where anyone can install a workstation
> or boot from a live-CD and be root to open any port < 1024.
> 
> 
> > I have setup my fw rules as below:
> > 
> > # Amanda Client - Enterprise random udp forks to Nemesis Server 
> > ################################################################
> > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
> > 1001:1009 -j ACCEPT
> > 
> > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
> > 10080:10083  -j ACCEPT
> > 
> > Outgoing packets are allowed from behind our firewall and all forwaded
> > to our main file server that is the same server for amanda backup tape
> > server
> 
> 
> I do not remember anymore, but maybe there is a possibility
> to not do NAT for a certain portrange/host ?
> 
> 
> > 
> > I re compiled amanda client as below:
> > 
> > ./configure --with-user=amanda --with-group=disk
> > --with-configdir=/etc/amanda --with-udpportrange=1001, 1009
> > --with-tcpportrange=11000, 11300
> 
> 
-- 
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL), 
Princess of Wales Hospital 
Coity Road 
Bridgend, 
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820 
Fax: +44 1656 752830
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New version of amandatape script., Josef Wolf
Next by Date:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Previous by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Kevin Till
Next by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Indexes:  [Date] [Thread] [Top] [All Lists]