Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:

2006-02-17 07:40:45
Subject: Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
From: Chuck Amadi Systems Administrator <chuck AT smtl.co DOT uk>
To: Amanda List <amanda-users AT amanda DOT org>, Paul Bijnens <paul.bijnens AT xplanation DOT com>
Date: Fri, 17 Feb 2006 12:36:16 +0000 
Hi Paul

Nah still getting ipnumber of the firewall not tape server.

# tcpdump port 10080                                     
tcpdump: listening on eth0
13:37:12.636083 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)
13:37:22.740457 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)
13:37:32.800639 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)

Thus DF means packets are still fragmented and not getting through.

Any other ideas.

Cheers for your help


Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> > Hi List sorry for the continuous cries for help.
> > 
> > Regarding Amanda and ipchains rules it didn't work Amanda client on server 
> > was still
> > forking to secure ports that weren't  in my udp range. I run tcpdump
> > port 10080 on server.
> 
> > ERROR [host firewall.my.co.uk: port 64524 not secure]
> 
> So the firewall does NAT (that is why, from the client's point of view,
> the ipnumber is the firewall itself, and not the amanda server, and the
> portnumber is >60000).
> 
> So, as already said, you should patch the client amanda software only
> for that host (i.e. no need to install that version on any other machine
> or amanda server), to disable the check for a udp source port < 1024:
> 
> For amanda 2.4.5p1, edit the file  common-src/security.c:
> 
> You find this section:
> 
>   229
>   230     /* next, make sure the remote port is a "reserved" one */
>   231
>   232     if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
>   233         ap_snprintf(number, sizeof(number), "%d", 
> ntohs(addr->sin_port));
>   234         *errstr = vstralloc("[",
>   235                             "host ", remotehost, ": ",
>   236                             "port ", number, " not secure",
>   237                             "]", NULL);
>   238         amfree(remotehost);
>   239         return 0;
>   240     }
> 
> and make test test succeed always, by changing line 232:
> 
>   232     if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> 
> 
> i.e. add the "1 ||" string to the if statement.
> 
-- 
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL), 
Princess of Wales Hospital 
Coity Road 
Bridgend, 
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820 
Fax: +44 1656 752830
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:, Paul Bijnens
Next by Date:  Re: New version of amandatape script., Josef Wolf
Previous by Thread:  Re: gzip trailing garbage, Kevin Till
Next by Thread:  AW: AW: AW: AW: Question: does this DLT Drive work?, Sebastian Koesters
Indexes:  [Date] [Thread] [Top] [All Lists]