Re: Firewall, amanda client and ports
2007-07-18 09:20:57
Hi,
Charles Stroom schrieb:
> amcheck reports no problem.
amcheck doesn't use the full source/destination portrange like amdump.
> On the client, I have opened TCP/UDP port 10080, and TCP
> ports 10082 and 10083, because I seem to have seen something like that
> when googling.
You need only 10080 on the client. 10082 (amandaidx) and 10083 (amidxtape) you
have on your index-/tapeserver.
But also the server connects do different ports. You can limit this for a
better and more tight firewall-configuration when you set --with-portrange and
--with-udpportrange at configure. I used
./configure ..... --with-portrange=50000,50150 --with-udpportrange=850,900
And at a iptables protected machine you have to set it like this:
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol udp --sport 850:900 \
--dport 10080 --jump ACCEPT
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
--sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
--sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT
Just replace the variables with your settings/variables.
A different way is to use the specific netfilter modules for handling amanda's
connections (ip_conntrack_amanda, ip_nat_amanda).
Regards
Marc
--
Marc Muehlfeld (Leitung Systemadministration)
Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78
http://www.medizinische-genetik.de
|
|
|