Re: Amanda Through firewall

Tue, 13 Jul 2004 05:56:40 -0700 


Following up on myself...


Paul Bijnens wrote: 

Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules).  My firewall does simple
connection tracking and NAT.

I commented out this block in common-src/security.c

 230     /* next, make sure the remote port is a "reserved" one */
 231 /* Avoid trouble with NAT changing reserved ports in random ports
 232     if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
 233         ap_snprintf(number, sizeof(number), "%d",
                ntohs(addr->sin_port));
 234         *errstr = vstralloc("[",
 235                             "host ", remotehost, ": ",
 236                             "port ", number, " not secure",
 237                             "]", NULL);
 238         amfree(remotehost);
 239         return 0;
 240     }
 241 */

It's because of NAT that ports below 1024 get translated to some
arbitrary high number.  The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.

With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking.  (Correct me, if I missed something.)


Using the standard ip_conntrack module, you have to live with the
standard rather short UDP connection tracking timeout (5 minutes I believe).
For amanda this means that all the estimates must be finished within
that timeframe.

When using the netfilter "ip_conntrack_amanda master_timeout=3600"
you can increase this timeout as you please.


--
Paul Bijnens, Xplanation                            Tel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM    Fax  +32 16 397.512
http://www.xplanation.com/          email:  [EMAIL PROTECTED]
***********************************************************************
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...    *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *
***********************************************************************

Reply via email to