On 2006-02-20 12:12, Chuck Amadi Systems Administrator wrote:
Hi Paul
I just want my server that is the other side of my Lan which of cause is
where the tape server resides which is separated by my ipchains
firewall. To allow responses from the server through the firewall to my
tape server.
I have re compiled with the UDP and TCP portrange switch and edit the
common-src/security.c file with the "1 ||" within line 232 if statement.
When I run tcpdump port 10080 on the server and then in another window
on the tape server amcheck DailySet1 I see on the server that insecure
port >60000 is still being used and not the one I defined when I re
compiled amanda client using port range and commn-src/security.c file.
Of course that is expected: the Network Address Translation in the
firewall changes your restricted udp-range to a port range > 60000.
But the "1 ||" string that you added in line 232, makes this not
a fatal error. Now the client should accept such a port, even if the
source port seems to be insecure.
So, explain me again, what is wrong now.
If you still have a client complaining about a non-secure port, then
you had a problem with recompiling that client software.
Any other suggestions other than migrating the firewall to iptable which
I will don eventually after a lot of other things on my to do list.
Cheers
On Fri, 2006-02-17 at 13:26 +0100, Paul Bijnens wrote:
On 2006-02-17 13:23, Chuck Amadi Systems Administrator wrote:
As you stated it's still forking to the firewall ipnumber and not the
tape server.
("...forking..." ??? I'm afraid I don't understand that word in
this context...)
Yes, as expected, the client sees the request coming from the
NAT-firewall itself, but is that a problem?
Cheers for your help
On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
Hi List sorry for the continuous cries for help.
Regarding Amanda and ipchains rules it didn't work Amanda client on server was
still
forking to secure ports that weren't in my udp range. I run tcpdump
port 10080 on server.
ERROR [host firewall.my.co.uk: port 64524 not secure]
So the firewall does NAT (that is why, from the client's point of view,
the ipnumber is the firewall itself, and not the amanda server, and the
portnumber is >60000).
So, as already said, you should patch the client amanda software only
for that host (i.e. no need to install that version on any other machine
or amanda server), to disable the check for a udp source port < 1024:
For amanda 2.4.5p1, edit the file common-src/security.c:
You find this section:
229
230 /* next, make sure the remote port is a "reserved" one */
231
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
and make test test succeed always, by changing line 232:
232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
i.e. add the "1 ||" string to the if statement.
--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens AT xplanation DOT com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************
|
