Mike Allen wrote:
> Jon LaBadie wrote:
>> On Mon, Jul 10, 2006 at 02:38:31PM -0700, Mike Allen wrote:
>>
>>> Jon LaBadie wrote:
>>>
>>>> On Mon, Jul 10, 2006 at 10:33:27AM -0700, Mike Allen wrote:
>>>>
>>>>
>>>>> I'm using Amanda 2.4.5 with FreeBSD 5.4.
>>>>>
>>>>> 1. Backups on the NATed side of our firewall work fine.
>>>>>
>>>>> 2. Our tape server is on the NATed side of firewall.
>>>>>
>>>>> 3. Backups through the firewall fail when I run AMCHECK.
>>>>> The error message is port NNNN not secure.
>>>>>
>>>>> I have attempted to research the environment variables 'tcpportrange',
>>>>> 'udpportrange' and
>>>>> 'portrange' and configure our firewall appropriately but with no success.
>>>>>
>>>>> Please tell me what I am doing wrong. Any help would be appreciated.
>>>>>
>>>>>
>>>>>
>>>> There are some user-supplied responses to that question in the FAQ-o-matic:
>>>>
>>>> http://amanda.sourceforge.net/fom-serve/cache/14.html
>>>>
>>>> See if any of them apply.
>>>>
>>>> Other info might be available at zmanda.com
>>>>
>>>>
>>>>
>>> Jon:
>>>
>>> Thanks for your reply. I had previously checked out Faq-O-Matic and
>>> found nothing
>>> new or useful to me for this problem. The problem may be in my
>>> perseptions about this problem.
>>>
>>> Regarding the file 'site.config'. I would like to know the difference
>>> between the
>>> 'portrange' parameter and the 'tcpportrange' parameter. Am I supposed to
>>> use both?
>>> Does 'tcpportrange' override 'portrange' or what?
>>>
>>> I am afraid that much 'handholding' may be required to get me over this
>>> problem!
>>>
>>>
>> IIRC (I've not used port specification) portrange is the old synonym
>> for tcpportrange. Assuming I'm correct, don't use portrange.
>>
>> But do use BOTH udpportrange and tcpportrange.
>>
>> Again, suggested by someone who has not used them.
Mine is built with:
--with-tcpportrange=40000,40030 --with-udpportrange=920,940
I believe the tcp ports must be >1024 and the udp ports <1024
or you will get various errors and/or warnings. You might want
to read the PORT.USAGE file in the docs directory to get an idea
of how big a range you will need.
>>
>> jl
>>
> Assuming I have configured the TAPEHOST correctly using both
> 'tcpportrange' and 'udpportrange',
> do I do the identical configuration on the CLIENT with respect to
> 'tcpportrange' and 'udpportrange'?
Yes, they both need to be configured the same or they won't talk
to each other.
> I cannot find anything about this in the documentation
>
> I had another thought, I am using a Netgear model FSV338 for my
> firewall. (I use the appropriate
> settings for port-forwarding.) Could this be the problem?
A potential problem, depending on how its configured. Keep in
mind that unless the firewall is Amanda aware it may block the
reverse connections from the client that go to different ports
on the server than the ones the server initially used. That is
the purpose of the portrange configuration, to limit the number
of ports you need to open on your firewall between client and
server. iptables (netfilter) has a module that is Amanda-aware
and can allow the reverse connections as a 'related' match, even
if you don't use portrange.
>
> How can I check this out?
Besides looking in the Amanda logs for timeouts on client and server,
tcpdump or other packet capturing tools will show what is happening
where.
Frank
>
> Mike
>
--
Frank Smith fsmith AT hoovers DOT com
Sr. Systems Administrator Voice: 512-374-4673
Hoover's Online Fax: 512-374-4501
|
