Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firewall, amanda client and ports

2007-07-19 08:01:35
Subject: Re: Firewall, amanda client and ports
From: Charles Stroom <charles AT stremen.xs4all DOT nl>
To: Jean-Louis Martineau <martineau AT zmanda DOT com>
Date: Thu, 19 Jul 2007 13:19:47 +0200 
Changes made and backup done this morning, no problems.  The client has
only 10080 TCP/UDP ports open.

Thanks a lot,

Charles




On Wed, 18 Jul 2007 10:51:21 -0400
Jean-Louis Martineau <martineau AT zmanda DOT com> wrote:

> Since you are using amanda-2.5.2p1, I suggest you use the bsdtcp auth.
> It will require no firewall rules.
> Port 10082 and 10083 are not use in 2.5.2 and above, your server need 
> them only if you have older client (amrecover).
> 
> To use bsdtcp auth:
>   - change your dumptype to have: auth "bsdtcp"
>   - change your amanda xinetd configuration:
>         socket_type             = stream
>         protocol                = tcp
>         wait                    = no
>         server_args             = -auth=bsdtcp amdump amindexd
> amidxtaped
> 
> Jean-Louis
> 
> Marc Muehlfeld wrote:
> > Hi,
> >
> > Charles Stroom schrieb:
> > > amcheck reports no problem.
> >
> > amcheck doesn't use the full source/destination portrange like
> > amdump.
> >
> >
> >
> > > On the client, I have opened TCP/UDP port 10080, and TCP
> > > ports 10082 and 10083, because I seem to have seen something like
> > > that when googling.
> >
> > You need only 10080 on the client. 10082 (amandaidx) and 10083 
> > (amidxtape) you have on your index-/tapeserver.
> >
> >
> > But also the server connects do different ports. You can limit this 
> > for a better and more tight firewall-configuration when you set 
> > --with-portrange and  --with-udpportrange at configure. I used
> >
> > ./configure .....  --with-portrange=50000,50150 
> > --with-udpportrange=850,900
> >
> > And at a iptables protected machine you have to set it like this:
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol udp
> > --sport 850:900 \
> >    --dport 10080 --jump ACCEPT
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol tcp
> > --syn \ --sport 50000:50150 --dport $PORTS_UNPRIV --jump ACCEPT
> >
> > $IPTABLES -A INPUT --match state --state NEW --in-interface
> > $LAN_DEV \ --source $BAKSERV --destination $LAN_IP --protocol tcp
> > --syn \ --sport $PORTS_UNPRIV --dport 50000:50150 --jump ACCEPT
> >
> > Just replace the variables with your settings/variables.
> >
> >
> > A different way is to use the specific netfilter modules for
> > handling amanda's connections (ip_conntrack_amanda, ip_nat_amanda).
> >
> >
> > Regards
> > Marc
> >
> >
> 


-- 
Charles Stroom
email: charles at no-spam.stremen.xs4all.nl (remove the "no-spam.")
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Firewall, amanda client and ports, Jean-Louis Martineau
Next by Date:  client to server trickles with tape spanning, Jean-Francois Malouin
Previous by Thread:  Re: Firewall, amanda client and ports, Jean-Louis Martineau
Next by Thread:  Re: Firewall, amanda client and ports, Charles Stroom
Indexes:  [Date] [Thread] [Top] [All Lists]