Amanda FAQ-o-matic "firewalls" entry

Wed, 24 Jan 2001 12:17:58 -0800 

I used the Amanda FAQ-o-matic "firewalls" entry when I was setting up
backups for a server that sits on the "untrusted" side of an internal
packet filter, and found it helpful -- my thanks to those involved!

However, I was just going over the filtering rules a bit, in order to
clean things up both on the packet filter and on the host that is the
amanda client.  (And then we had a security advisory come out regarding
the packet-filtering code we use, so I needed to make a patch & install
the modified code -- thus providing an opportunity to do a test....)

Per the suggestion, I had built amanda on that client with the
"--with-udpportrange=850,854" config directive.

And I am running a backup of that client machine every day -- it's just
tossed into the mix along with all the other machines.

But in looking at the statistics for the filter rules on the internal
packet filter, I see the only rules that mention my backup server are:

dmz-gw[2] sudo ipfw show|grep 205.27
01550       0          0 allow udp from 207.76.204.2 850-854 to 207.76.205.27
01551      24       3282 allow udp from 207.76.204.2 10080 to 207.76.205.27

But the first rule shows that there were no instances of its conditions
being matched, and the amanda client in question (at 207.76.204.2) is
not permitted to send arbitrary traffic to the net where the amanda
server (207.76.205.27) is.

So yesterday afternoon, when I needed to re-boot the packet-filtering
machine after applying the patches, I only installed the second rule,
thus we now have:

dmz-gw[3] sudo ipfw show | grep 205.27
01551     24      3282 allow udp from 207.76.204.2 10080 to 207.76.205.27

(And this morning's backups ran just fine, as far as that machine is
concerned.)

So it seems to me that either I'm missing something fairly basic, or
that the rule # 1550 (in the first extract) isn't needed.  Further, it's
not apparent to me that the UDP port-range restriction is actually doing
anything either.

Does this make any sense?  When it comes to relaxing firewall rules, I
like to make sure I understand as clearly as possible just what is being
done and why....

Thanks,
david
-- 
David Wolfskill      [EMAIL PROTECTED]   UNIX System Administrator
Desk: 650/577-7158   TIE: 8/499-7158   Cell: 650/759-0823

I need help: http://www.whistle.com/employment/employ-engg.html#K030391

Reply via email to