From a security perspective, you normally don't want to allow packet
fragments. In most cases, turning off packet fragmentation is generally
what you want. Why? Well, because some rules can not be properly
applied to packet fragments which may create potential security concerns.
Greg
Jason Hollinden wrote:
> The ports that worked best for me were:
>
> --with-portrange=2064,2320
> --with-udpportrange=830,870
>
> Also, some other firewall wierdness I've had (with RedHat6.2's ipchains)
> was once in a while a fragmented packet is sent, for whatever reason.
> My amanda client's firewall log would show 3 denied packets from the
> tape server, with source and destination ports of 65535.
>
> To get around this, you need a rule that allows fragmented packets, such
> as this:
>
> -A input -s <server_ip>/32 -d <client_ip>/32 -f -j ACCEPT
>
>
> On Wed, 04 Apr 2001, Doug Silver wrote:
>
>> Brand new build of amanda 2.4.2p2
>>
>> server config build:
>> /configure --with-gnutar=/usr/local/bin/tar --with-portrange=900,950
>> --with-udpportrange=900,950 (etc)
>>
>> client config build:
>> ./configure --with-gtar=/usr/local/bin/gtar --without-server
>> --with-portrange=900,950 --with-udpportrange=900,950
>>
>> Server binaries:
>> -rwsr-x--- 1 root wheel 68759 Apr 4 15:46
>> /usr/local/libexec/calcsize*
>> -rwsr-x--- 1 root wheel 231765 Apr 4 15:47 /usr/local/libexec/dumper*
>> -rwsr-x--- 1 root wheel 58227 Apr 4 15:46
>> /usr/local/libexec/killpgrp*
>> -rwsr-x--- 1 root wheel 309711 Apr 4 15:47 /usr/local/libexec/planner*
>> -rwsr-x--- 1 root wheel 56004 Apr 4 15:46 /usr/local/libexec/rundump*
>> -rwsr-x--- 1 root wheel 56761 Apr 4 15:46 /usr/local/libexec/runtar*
>> -rwsr-x--- 1 root wheel 322122 Apr 4 15:47 /usr/local/sbin/amcheck*
>>
>> Client:
>> ls: /usr/local/libexec/dumper: No such file or directory
>> ls: /usr/local/libexec/planner: No such file or directory
>> -rwsr-x--- 1 root wheel 71756 Apr 4 17:22 /usr/local/libexec/calcsize*
>> -rwsr-x--- 1 root wheel 62521 Apr 4 17:22 /usr/local/libexec/killpgrp*
>> -rwsr-x--- 1 root wheel 60112 Apr 4 17:22 /usr/local/libexec/rundump*
>> -rwsr-x--- 1 root wheel 60905 Apr 4 17:22 /usr/local/libexec/runtar*
>>
>> amcheck -c test
>>
>> Amanda Backup Client Hosts Check
>> --------------------------------
>> ERROR: frog.hoop-t.net: [host cat.hoop-t.net: port 62870 not
>> secure]
>> Client check: 1 host checked in 0.076 seconds, 1 problem found
>>
>> I'm not seeing any errors through the firewall, so I'm not sure how to
>> further debug this.
>>
>> Any suggestions? Has anyone got Amanda to work using the
>> udpportrange/portrange options through a firewall?
>>
>> Thanks!
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Doug Silver
>> 619 235-2665
>> Quantified Systems, Inc
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Here's the client amandad.debug packet stuff:
>> sending ack:
>> ----
>> Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352
>> ----
>>
>> amandad: sending REP packet:
>> ----
>> Amanda 2.4 REP HANDLE 000-00300D08 SEQ 986430352
>> ERROR [host cat.hoop-t.net: port 62870 not secure]
>> ----
>>
>> amandad: got packet:
>> ----
>> Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352
>> ----
>>
>> amandad: pid 56308 finish time Wed Apr 4 17:25:53 2001
>>
>
>
> --
> Jason Hollinden
>
> SMG Systems Admin
>
--
Greg Copeland, Principal Consultant
Copeland Computer Consulting
--------------------------------------------------
PGP/GPG Key at http://www.keyserver.net
DE5E 6F1D 0B51 6758 A5D7 7DFE D785 A386 BD11 4FCD
--------------------------------------------------
