Re: Firewall, amanda client and ports
2007-07-19 08:01:35
Changes made and backup done this morning, no problems. The client has
only 10080 TCP/UDP ports open.
Thanks a lot,
Charles
On Wed, 18 Jul 2007 10:51:21 -0400
Jean-Louis Martineau <martineau AT zmanda DOT com> wrote:
> Since you are using amanda-2.5.2p1, I suggest you use the bsdtcp auth.
> It will require no firewall rules.
> Port 10082 and 10083 are not use in 2.5.2 and above, your server need
> them only if you have older client (amrecover).
>
> To use bsdtcp auth:
> - change your dumptype to have: auth "bsdtcp"
> - change your amanda xinetd configuration:
> socket_type = stream
> protocol = tcp
> wait = no
> server_args = -auth=bsdtcp amdump amindexd
> amidxtaped
>
> Jean-Louis
>
> Marc Muehlfeld wrote:
> > Hi,
> >
> > Charles Stroom schrieb:
> > > amcheck reports no problem.
> >
> > amcheck doesn't use the full source/destination portrange like
> > amdump.
> >
> >
> >
> > > On the client, I have opened TCP/UDP port 10080, and TCP
> > > ports 10082 and 10083, because I seem to have seen something like
> > > that when googling.
> >
> > You need only 10080 on the client. 10082 (amandaidx) and 10083
> > (amidxtape) you have on your index-/tapeserver.
> >
> >
> > But also the server connects do different ports. You can limit this
> > for a better and more tight firewall-configuration when you set
> > --with-portrange and --with-udpportrange at configure. I used
> >
> > ./configure ..... --with-portrange=50000,50150
> > --with-udpportrange=850,900
> >
> > And at a iptables protected machine you have to set it like this:
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol udp
> > --sport 850:900 \
> > --dport 10080 --jump ACCEPT
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol tcp
> > --syn \ --sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol tcp
> > --syn \ --sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT
> >
> > Just replace the variables with your settings/variables.
> >
> >
> > A different way is to use the specific netfilter modules for
> > handling amanda's connections (ip_conntrack_amanda, ip_nat_amanda).
> >
> >
> > Regards
> > Marc
> >
> >
>
--
Charles Stroom
email: charles at no-spam.stremen.xs4all.nl (remove the "no-spam.")
|
|
|