Cannot backup firewall

[Rebecca Pakish Crum]

Hi all

I'm running amanda 2.4.2p2 on a RH box as my backup server. I installed
the amanda client on my (sol8) firewall on Friday, and set up a rule for
the server to get to the firewall for amanda services - amcheck runs
fine and reports no errors. But when my amdump kicks off at night, my
report says:

firewall.unter /export/home/rebecca lev 0 FAILED [could not connect to
firewall.unterlaw.com]

In /tmp/amanda on the firewall, I have all of the *.debug files one
would expect to see
# cd /tmp/amanda
# ls
amandad.20031117153500.debug amandad.20031119041352.debug
runtar.20031120030511.debug  sendbackup.20031119041352.debug
amandad.20031118030502.debug amandad.20031119153507.debug
selfcheck.20031117153500.debug   sendbackup.20031120030744.debug
amandad.20031118030754.debug amandad.20031120030511.debug
selfcheck.20031118153504.debug   sendbackup.20031120041558.debug
amandad.20031118041513.debug amandad.20031120030744.debug
selfcheck.20031119153507.debug   sendsize.20031118030503.debug
amandad.20031118153503.debug amandad.20031120041558.debug
sendbackup.20031118030754.debug  sendsize.20031119030508.debug
amandad.20031119030508.debug runtar.20031118030503.debug
sendbackup.20031118041513.debug  sendsize.20031120030511.debug
amandad.20031119030759.debug runtar.20031119030508.debug
sendbackup.20031119030759.debug


# vi sendbackup.20031120030744.debug 
sendbackup: debug 1 pid 8244 ruid 1005 euid 1005 start time Thu Nov 20
03:07:44 2003
/usr/local/libexec/sendbackup: version 2.4.2p2
sendbackup: got input request: GNUTAR /export/home/rebecca 0
1970:1:1:0:0:0 OPTIONS |;bsd-auth;index;exclude-list=/usr/local/lib/ama
nda/exclude.gtar;
  parsed request as: program `GNUTAR'
 disk `/export/home/rebecca'
 lev 0
 since 1970:1:1:0:0:0
 opt
`|;bsd-auth;index;exclude-list=/usr/local/lib/amanda/exclude.gtar;'
sendbackup: exclude list file /usr/local/lib/amanda/exclude.gtar does
not exist, ignoring
sendbackup: try_socksize: send buffer size is 65536
sendbackup: stream_server: waiting for connection: 0.0.0.0.32886
sendbackup: stream_server: waiting for connection: 0.0.0.0.32887
sendbackup: stream_server: waiting for connection: 0.0.0.0.32888
  waiting for connect on 32886, then 32887, then 32888
sendbackup: stream_accept: timeout after 30 seconds
sendbackup: timeout on data port 32886
sendbackup: stream_accept: timeout after 30 seconds
sendbackup: timeout on mesg port 32887
sendbackup: stream_accept: timeout after 30 seconds
sendbackup: timeout on index port 32888
sendbackup: pid 8244 finish time Thu Nov 20 03:09:14 2003

The firewall is trying to do it's thing..but it can't get back to the
server...what's up with that? 
Help!

Rebecca A. Crum  
Systems Administrator 
Unterberg  Associates, P.C. 
(219) 736-5579 ext. 184 

Re: Cannot backup firewall

[Joshua Baker-LePain]

On Thu, 20 Nov 2003 at 8:26am, Rebecca Pakish Crum wrote

 I'm running amanda 2.4.2p2 on a RH box as my backup server. I installed
 the amanda client on my (sol8) firewall on Friday, and set up a rule for
 the server to get to the firewall for amanda services - amcheck runs
 fine and reports no errors. But when my amdump kicks off at night, my
 report says:
 
 firewall.unter /export/home/rebecca lev 0 FAILED [could not connect to
 firewall.unterlaw.com]

You have to allow traffic on not just the amanda port, but also high 
numbered TCP ports for the data connections.  On Linux clients, I put in 
the following iptables rules:

# Amanda from chaos
-A INPUT -p udp -s $SERVER_IP_ADDRESS -d 0/0 --dport 10080 -j ACCEPT
-A INPUT -p tcp -m tcp -s $SERVER_IP_ADDRESS -d 0/0 --dport 1025:65535 -j ACCEPT

With just the first rule (allowing UDP traffic to port 10080), the client 
will pass amcheck but fail amdump.  The second rule (allowing TCP 
traffic to all non-priviledged ports) actually allows data to flow.

-- 
Joshua Baker-LePain
Department of Biomedical Engineering
Duke University