Re: Firewall, amanda client and ports
2007-07-18 10:56:31
Since you are using amanda-2.5.2p1, I suggest you use the bsdtcp auth.
It will require no firewall rules.
Port 10082 and 10083 are not use in 2.5.2 and above, your server need
them only if you have older client (amrecover).
To use bsdtcp auth:
- change your dumptype to have: auth "bsdtcp"
- change your amanda xinetd configuration:
socket_type = stream
protocol = tcp
wait = no
server_args = -auth=bsdtcp amdump amindexd amidxtaped
Jean-Louis
Marc Muehlfeld wrote:
Hi,
Charles Stroom schrieb:
> amcheck reports no problem.
amcheck doesn't use the full source/destination portrange like amdump.
> On the client, I have opened TCP/UDP port 10080, and TCP
> ports 10082 and 10083, because I seem to have seen something like that
> when googling.
You need only 10080 on the client. 10082 (amandaidx) and 10083
(amidxtape) you have on your index-/tapeserver.
But also the server connects do different ports. You can limit this
for a better and more tight firewall-configuration when you set
--with-portrange and --with-udpportrange at configure. I used
./configure ..... --with-portrange=50000,50150
--with-udpportrange=850,900
And at a iptables protected machine you have to set it like this:
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol udp --sport
850:900 \
--dport 10080 --jump ACCEPT
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
--sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT
$IPTABLES -A INPUT --match state --state NEW --in-interface $LAN_DEV \
--source $BAKSERV --destination $LAN_IP --protocol tcp --syn \
--sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT
Just replace the variables with your settings/variables.
A different way is to use the specific netfilter modules for handling
amanda's connections (ip_conntrack_amanda, ip_nat_amanda).
Regards
Marc
|
|
|