RE: Another 'Amanda through firewall' problem
Kevin: Sorry about responding late to this post, I have been away from the mailing list for a while, so this may be a stale issue. Be sure and study the docs/PORT.USAGE file in the Amanda distribution for a detailed explanation of how to set up your ports. There appears to be confusion about the use of port ranges through the firewall. Amanda needs three sets of ports opened in a firewall: UDP/10080, TCP/10082, TCP/10083 -> the well-known services that connect clients to Amanda services the UDP port Range -> a set of ports for Amanda to exchange information between the clients and the server the TCP port Range -> a set of ports to pass the backup data streams between the Amanda clients and servers During a session, the Amanda server connects to the Amanda UDP port on the client to perform an operation, the request originates from one of the UDP ports in the UDPPORTRANGE. Amanda uses this connection to send commands to the remote client and receive reports of results on the client. To perform a backup, Amanda sends the client a set of three ports in the TCPPORTRANGE that will be used for standard input, output, and error streams. Amanda uses the three ports to send/receive information with the client. The range of addresses needs to be large enough to conduct as many remote sessions as needed by the configuration going through the firewall. For my firewall, I have the following ports open: To each client: UDP 10080 - Amanda control port TCP 10082 - Amanda index service TCP 10083 - Amanda tape service UDP 880-899 - for bi-directional status data flows TCP 5-50040 - for bi-directional backup stream flows From clients to the server: UDP 10080 - Amanda control port TCP 10082 - Amanda index service TCP 10083 - Amanda tape service UDP 880-899 - for bi-directional status data flows Return connections for each established outbound connection Since I don't control the firewall, I have to depend on rule and port listings from the Firewall group. Good communication of the contents of the docs/PORT.USAGE file from the Amanda distribution file tree is essential for the Firewall Team to be able to setup the firewall to correctly pass the Amanda data streams. Best of luck with Amanda and hopefully this will get your moving, Donald L. (Don) Ritchey Information Technology Exelon Corporation -Original Message- From: KEVIN ZEMBOWER [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Another 'Amanda through firewall' problem Two years ago, I wrote here about problems getting Amanda to work through a firewall using NAT which couldn't be turned-off. I finally gave up in frustration, despite the helpful advice of the folks here, and set up two separate backup systems, one inside and outside the firewall. Adding to my frustration is the fact that I don't administer the firewall, and can't verify directly that what I requested was implemented. Now, I'm trying again to back up all my host with just one Amanda system. My tapehost 'centernet' is trying to back up hosts 'admin' and 'mailinglists' in addition to itself, inside the firewall, and hosts 'www' and 'real' outside the firewall. I've read and tried to follow the advice given to others in this situation. I changed the file common-src/security.c to comment out the section where the port number is checked. I also used the script, first given here, pasted in at the end of this note, to configure Amanda on both the server and the clients. I have the new Amanda system (tapehost inside the firewall) working on all the other hosts inside the firewall, but it times out with the hosts outside the firewall. When I amcheck it, I don't get anything written in either the working or non-working clients, in either /tmp/Amanda or /tmp/Amanda-dbg. Can anyone suggest any diagnostic tools or methods that I can use to verify that the firewall is set up the way I requested? I've tried to use 'netcat' in the past to verify proper transmission through a firewall, but don't understand how I could use it in this case, as I don't know what port the firewall will NAT the request to. I'm not getting any diagnostic messages in any of the logs I've looked at, on either the host or clients. Any suggestions? Thanks for all your help and advice. -Kevin Zembower = [EMAIL PROTECTED]:~$ cat configure_amanda.sh #!/bin/sh # since I'm always forgetting to su amanda... if [ `whoami` != 'amanda' ]; then echo echo " Warning " echo "Amanda needs to be configured and built by the user amanda," ec
Another 'Amanda through firewall' problem
Two years ago, I wrote here about problems getting Amanda to work through a firewall using NAT which couldn't be turned-off. I finally gave up in frustration, despite the helpful advice of the folks here, and set up two separate backup systems, one inside and outside the firewall. Adding to my frustration is the fact that I don't administer the firewall, and can't verify directly that what I requested was implemented. Now, I'm trying again to back up all my host with just one Amanda system. My tapehost 'centernet' is trying to back up hosts 'admin' and 'mailinglists' in addition to itself, inside the firewall, and hosts 'www' and 'real' outside the firewall. I've read and tried to follow the advice given to others in this situation. I changed the file common-src/security.c to comment out the section where the port number is checked. I also used the script, first given here, pasted in at the end of this note, to configure Amanda on both the server and the clients. I have the new Amanda system (tapehost inside the firewall) working on all the other hosts inside the firewall, but it times out with the hosts outside the firewall. When I amcheck it, I don't get anything written in either the working or non-working clients, in either /tmp/Amanda or /tmp/Amanda-dbg. Can anyone suggest any diagnostic tools or methods that I can use to verify that the firewall is set up the way I requested? I've tried to use 'netcat' in the past to verify proper transmission through a firewall, but don't understand how I could use it in this case, as I don't know what port the firewall will NAT the request to. I'm not getting any diagnostic messages in any of the logs I've looked at, on either the host or clients. Any suggestions? Thanks for all your help and advice. -Kevin Zembower = [EMAIL PROTECTED]:~$ cat configure_amanda.sh #!/bin/sh # since I'm always forgetting to su amanda... if [ `whoami` != 'amanda' ]; then echo echo " Warning " echo "Amanda needs to be configured and built by the user amanda," echo "but must be installed by user root." echo exit 1 fi echo " Warning " echo "Did you remember to make the changes in common_src/security.c" echo "to disable the port check, to allow amanda to work through a" echo "NATted firewall like CCP's?" echo make clean rm -f config.status config.cache ../configure --with-user=amanda \ --with-group=disk \ --with-owner=amanda \ --with-tape-device=/dev/nst0 \ --prefix=/usr/local \ --with-portrange=10080,10083 \ --with-tcpportrange=10080,10083 \ --with-udpportrange=850,854 \ --with-debugging=/tmp/amanda-dbg/ \ --with-config=DBackup \ --with-smbclient=/usr/bin/smbclient \ --with-configdir=/etc/amanda [EMAIL PROTECTED]:~$
Re: Amanda Through firewall
Andreas Sundstrom wrote: Paul Bijnens wrote: Kaushal Shriyan wrote: Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out The general answer is to recompile amanda with a dedicated portrange and open those ports in the firewall. See the explanation in docs/PORT.USAGE . If the firewall is running Linux, it could be as easy as loading the amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda". Beware of 2.6.6rc2 kernel that are reported to give some trouble: http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html I've not yet verified this. Just a quick note here.. the actual change that broke it were between 2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the amanda nat modules. It seems this might be fixed now, I noticed that some changes were commited to 2.6.8-rc1 regarding the amanda conntrack stuff. So i searched the devel archives for netfilter and came up with this. http://lists.netfilter.org/pipermail/netfilter-devel/2004-June/015806.html Haven't tried it but I think that it fixes the problem introduced between 2.6.6-rc1 and 2.6.6-rc2. /Andreas
Re: Amanda Through firewall
Paul Bijnens wrote: Following up on myself... Again :-) Paul Bijnens wrote: Using the standard ip_conntrack module, you have to live with the standard rather short UDP connection tracking timeout (5 minutes I believe). It is 3 minutes. From /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c : #define UDP_TIMEOUT (30*HZ) #define UDP_STREAM_TIMEOUT (180*HZ) The first is for unreplied UDP packets, the second for UDP packets that did get a reply (yes, amanda ACK's the request for estimate before starting the estimate itself). -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Amanda Through firewall
Following up on myself...
Paul Bijnens wrote:
Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a "reserved" one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */
It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.
With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)
Using the standard ip_conntrack module, you have to live with the
standard rather short UDP connection tracking timeout (5 minutes I believe).
For amanda this means that all the estimates must be finished within
that timeframe.
When using the netfilter "ip_conntrack_amanda master_timeout=3600"
you can increase this timeout as you please.
--
Paul Bijnens, XplanationTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...*
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Re: Amanda Through firewall
Paul Bijnens wrote: Kaushal Shriyan wrote: Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out The general answer is to recompile amanda with a dedicated portrange and open those ports in the firewall. See the explanation in docs/PORT.USAGE . If the firewall is running Linux, it could be as easy as loading the amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda". Beware of 2.6.6rc2 kernel that are reported to give some trouble: http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html I've not yet verified this. Just a quick note here.. the actual change that broke it were between 2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the amanda nat modules. /Andreas
Re: Amanda Through firewall
On Tuesday 13 July 2004 00:48, Kaushal Shriyan wrote: >Can I allow amanda backup server to talk through firewall for > accessing amanda client host, Is there any way out > >Any help You'll have to open up some high numbered ports. I think its in the docs as to which ones, and which protocol. I really should let those who are doing it answer these questions, my whole system is behind a firewall, so the machines don't have to worry about that, leaving me inexperienced at advising.. -- Cheers, Gene There are 4 boxes to be used in defense of liberty. Soap, ballot, jury, and ammo. Please use in that order, starting now. -Ed Howdershelt, Author Additions to this message made by Gene Heskett are Copyright 2004, Maurice E. Heskett, all rights reserved.
Re: Amanda Through firewall
Kaushal Shriyan wrote:
Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out
The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .
If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda".
Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html
I've not yet verified this.
Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a "reserved" one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */
It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.
With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)
--
Paul Bijnens, XplanationTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...*
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Re: Amanda Through firewall
There is an excellent how-to about this in the Amanda Faq-O-Matic : http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139 HTH Bert De Ridder PeopleWare NV - Head Office Cdt.Weynsstraat 85 B-2660 Hoboken Tel: +32 3 448.33.38 Fax: +32 3 448.32.66 PeopleWare NV - Branch Office Geel Kleinhoefstraat 5 B-2440 Geel Tel: +32 14 57.00.90 Fax: +32 14 58.13.25 http://www.peopleware.be http://www.mobileware.be Kaushal Shriyan <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 13/07/2004 06:48 To [EMAIL PROTECTED] cc Subject Amanda Through firewall Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out Any help -- Regards, Kaushal Shriyan Technical Engineer Red Hat India Pvt. Ltd. Tel : +91-22-22881326/27 Fax : +91-22-22881318
Amanda Through firewall
Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out Any help -- Regards, Kaushal Shriyan Technical Engineer Red Hat India Pvt. Ltd. Tel : +91-22-22881326/27 Fax : +91-22-22881318
