Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:

2006-02-17 07:31:54
Subject: Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
From: Chuck Amadi Systems Administrator <chuck AT smtl.co DOT uk>
To: Amanda List <amanda-users AT amanda DOT org>, Paul Bijnens <paul.bijnens AT xplanation DOT com>
Date: Fri, 17 Feb 2006 12:23:30 +0000 
Hi Paul

I'm running 2.4.4p2 on my amanda clients and tape server.

Anyway the file exists in my version,rin make clean > I edited the
common-src/security.c file and added "1 ||" string to the if statement
to line 232.

Thus run make > make clean > make install and run on my server client
that sits on the other side of Firewall.

./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-uspportrange=11000,111030
--with-tcpportrange=11000,11030

Thus tcpdump port 10080 on the amanda client and run amcheck Config on
the tape server.

As you stated it's still forking to the firewall ipnumber and not the
tape server.

Cheers for your help





On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> > Hi List sorry for the continuous cries for help.
> > 
> > Regarding Amanda and ipchains rules it didn't work Amanda client on server 
> > was still
> > forking to secure ports that weren't  in my udp range. I run tcpdump
> > port 10080 on server.
> 
> > ERROR [host firewall.my.co.uk: port 64524 not secure]
> 
> So the firewall does NAT (that is why, from the client's point of view,
> the ipnumber is the firewall itself, and not the amanda server, and the
> portnumber is >60000).
> 
> So, as already said, you should patch the client amanda software only
> for that host (i.e. no need to install that version on any other machine
> or amanda server), to disable the check for a udp source port < 1024:
> 
> For amanda 2.4.5p1, edit the file  common-src/security.c:
> 
> You find this section:
> 
>   229
>   230     /* next, make sure the remote port is a "reserved" one */
>   231
>   232     if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
>   233         ap_snprintf(number, sizeof(number), "%d", 
> ntohs(addr->sin_port));
>   234         *errstr = vstralloc("[",
>   235                             "host ", remotehost, ": ",
>   236                             "port ", number, " not secure",
>   237                             "]", NULL);
>   238         amfree(remotehost);
>   239         return 0;
>   240     }
> 
> and make test test succeed always, by changing line 232:
> 
>   232     if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> 
> 
> i.e. add the "1 ||" string to the if statement.
> 
-- 
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL), 
Princess of Wales Hospital 
Coity Road 
Bridgend, 
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820 
Fax: +44 1656 752830
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Off-Topic: gmail problems with the list, Gene Heskett
Next by Date:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Previous by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Next by Thread:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Indexes:  [Date] [Thread] [Top] [All Lists]