Re: Firewall, amanda client and ports

Hi,

Charles Stroom schrieb:
> amcheck reports no problem.

amcheck doesn't use the full source/destination portrange like amdump.



> On the client, I have opened TCP/UDP port 10080, and TCP
> ports 10082 and 10083, because I seem to have seen something like that
> when googling.

You need only 10080 on the client. 10082 (amandaidx) and 10083 (amidxtape) youhave on your index-/tapeserver.

But also the server connects do different ports. You can limit this for abetter and more tight firewall-configuration when you set --with-portrange and--with-udpportrange at configure. I used


./configure .....  --with-portrange=50000,50150 --with-udpportrange=850,900

And at a iptables protected machine you have to set it like this:

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
   --source $BAKSERV --destination $LAN_IP --protocol udp --sport 850:900 \
   --dport 10080 --jump ACCEPT

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
   --source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
   --sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT

$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
   --source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
   --sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT

Just replace the variables with your settings/variables.

A different way is to use the specific netfilter modules for handling amanda'sconnections (ip_conntrack_amanda, ip_nat_amanda).



Regards
Marc


--
Marc Muehlfeld (Leitung Systemadministration)
Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78
http://www.medizinische-genetik.de