Following up on myself...
Paul Bijnens wrote:
Personnally I use a third option (until I get my firewall upgraded to use the amanda netfilter modules). My firewall does simple connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a "reserved" one */ 231 /* Avoid trouble with NAT changing reserved ports in random ports 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) { 233 ap_snprintf(number, sizeof(number), "%d", ntohs(addr->sin_port)); 234 *errstr = vstralloc("[", 235 "host ", remotehost, ": ", 236 "port ", number, " not secure", 237 "]", NULL); 238 amfree(remotehost); 239 return 0; 240 } 241 */
It's because of NAT that ports below 1024 get translated to some arbitrary high number. The security of this check is marginal in these times when everyone can be root and use reserved ports on his hackerbox.
With this setup, I only have to open ports from my amandaserver to the DMZ-hosts. All the rest is taken care of by the normal connection tracking. (Correct me, if I missed something.)
Using the standard ip_conntrack module, you have to live with the standard rather short UDP connection tracking timeout (5 minutes I believe). For amanda this means that all the estimates must be finished within that timeframe.
When using the netfilter "ip_conntrack_amanda master_timeout=3600" you can increase this timeout as you please.
-- Paul Bijnens, Xplanation Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***********************************************************************