On Sun, Apr 22, 2001 at 06:50:10PM -0500, John R. Jackson wrote:
> >... There are several shortcomings with Amanda and IP-masquerading:
> >
> >- You can backup only _one_ machine outside firewall
>
> Why?
I don't know the reason. I have 2 machines outside a Linux
masquerading firewall and i can have only one of them in the disklist.
>
> >- _Everyone_ from inside firewall can run an amanda server and
> > request backups from the outside machine. (This is often not a big problem
> > if the outside machine has only "public" content (e.g. Webserver))
>
> Is this because all the requests from inside look like they come from
> the same place to the outside machine, and so it cannot lock out all
> but the "right" one?
Yes, this is because of all inside machines looking like having the
Firewall IP and because of reserved port checking disabled.
>
> >- You have to tell Amanda Client outside firewall not to do reserved
> > port checking, in common-src:
>
> That would seem to depend on whether you're doing port translation.
> If the ports Amanda gets inside are left alone, then they should still
> be privileged on the outside.
>
My whole mail is only about Linux IP Masquerading AKA as port translation.
> Note that disabling this check makes it even easier for someone inside
> to back up the outside machine -- they don't even have to install Amanda,
> just run it from a build area.
>
> Do you (or anyone else, for that matter) have any suggestions on how
> this could be done better?
>
Sorry, no idea.
Ciao
Dietmar
--
Alles Gute / best wishes
Dietmar Goldbeck E-Mail: [EMAIL PROTECTED]
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization? Gandhi: I think it would be a good idea.
