Hi Paul
I just want my server that is the other side of my Lan which of cause is
where the tape server resides which is separated by my ipchains
firewall. To allow responses from the server through the firewall to my
tape server.
I have re compiled with the UDP and TCP portrange switch and edit the
common-src/security.c file with the "1 ||" within line 232 if statement.
When I run tcpdump port 10080 on the server and then in another window
on the tape server amcheck DailySet1 I see on the server that insecure
port >60000 is still being used and not the one I defined when I re
compiled amanda client using port range and commn-src/security.c file.
Any other suggestions other than migrating the firewall to iptable which
I will don eventually after a lot of other things on my to do list.
Cheers
On Fri, 2006-02-17 at 13:26 +0100, Paul Bijnens wrote:
> On 2006-02-17 13:23, Chuck Amadi Systems Administrator wrote:
> >
> > As you stated it's still forking to the firewall ipnumber and not the
> > tape server.
>
> ("...forking..." ??? I'm afraid I don't understand that word in
> this context...)
>
> Yes, as expected, the client sees the request coming from the
> NAT-firewall itself, but is that a problem?
>
>
>
>
> >
> > Cheers for your help
> >
> >
> >
> >
> >
> > On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> >> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> >>> Hi List sorry for the continuous cries for help.
> >>>
> >>> Regarding Amanda and ipchains rules it didn't work Amanda client on
> >>> server was still
> >>> forking to secure ports that weren't in my udp range. I run tcpdump
> >>> port 10080 on server.
> >>> ERROR [host firewall.my.co.uk: port 64524 not secure]
> >> So the firewall does NAT (that is why, from the client's point of view,
> >> the ipnumber is the firewall itself, and not the amanda server, and the
> >> portnumber is >60000).
> >>
> >> So, as already said, you should patch the client amanda software only
> >> for that host (i.e. no need to install that version on any other machine
> >> or amanda server), to disable the check for a udp source port < 1024:
> >>
> >> For amanda 2.4.5p1, edit the file common-src/security.c:
> >>
> >> You find this section:
> >>
> >> 229
> >> 230 /* next, make sure the remote port is a "reserved" one */
> >> 231
> >> 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> >> 233 ap_snprintf(number, sizeof(number), "%d",
> >> ntohs(addr->sin_port));
> >> 234 *errstr = vstralloc("[",
> >> 235 "host ", remotehost, ": ",
> >> 236 "port ", number, " not secure",
> >> 237 "]", NULL);
> >> 238 amfree(remotehost);
> >> 239 return 0;
> >> 240 }
> >>
> >> and make test test succeed always, by changing line 232:
> >>
> >> 232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> >>
> >>
> >> i.e. add the "1 ||" string to the if statement.
> >>
>
>
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
|