Re: Amanda Through firewall
Andreas Sundstrom wrote: Paul Bijnens wrote: Kaushal Shriyan wrote: Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out The general answer is to recompile amanda with a dedicated portrange and open those ports in the firewall. See the explanation in docs/PORT.USAGE . If the firewall is running Linux, it could be as easy as loading the amanda netfilter modules ip_conntrack_amanda and maybe ip_nat_amanda. Beware of 2.6.6rc2 kernel that are reported to give some trouble: http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html I've not yet verified this. Just a quick note here.. the actual change that broke it were between 2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the amanda nat modules. It seems this might be fixed now, I noticed that some changes were commited to 2.6.8-rc1 regarding the amanda conntrack stuff. So i searched the devel archives for netfilter and came up with this. http://lists.netfilter.org/pipermail/netfilter-devel/2004-June/015806.html Haven't tried it but I think that it fixes the problem introduced between 2.6.6-rc1 and 2.6.6-rc2. /Andreas
Re: Amanda Through firewall
Kaushal Shriyan wrote:
Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out
The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .
If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules ip_conntrack_amanda and maybe ip_nat_amanda.
Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html
I've not yet verified this.
Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a reserved one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr-sin_port) = IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), %d,
ntohs(addr-sin_port));
234 *errstr = vstralloc([,
235 host , remotehost, : ,
236 port , number, not secure,
237 ], NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */
It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.
With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)
--
Paul Bijnens, XplanationTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...*
* ... Are you sure? ... YES ... Phew ... I'm out *
***
Re: Amanda Through firewall
On Tuesday 13 July 2004 00:48, Kaushal Shriyan wrote: Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out Any help You'll have to open up some high numbered ports. I think its in the docs as to which ones, and which protocol. I really should let those who are doing it answer these questions, my whole system is behind a firewall, so the machines don't have to worry about that, leaving me inexperienced at advising.. -- Cheers, Gene There are 4 boxes to be used in defense of liberty. Soap, ballot, jury, and ammo. Please use in that order, starting now. -Ed Howdershelt, Author Additions to this message made by Gene Heskett are Copyright 2004, Maurice E. Heskett, all rights reserved.
Re: Amanda Through firewall
Paul Bijnens wrote: Kaushal Shriyan wrote: Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out The general answer is to recompile amanda with a dedicated portrange and open those ports in the firewall. See the explanation in docs/PORT.USAGE . If the firewall is running Linux, it could be as easy as loading the amanda netfilter modules ip_conntrack_amanda and maybe ip_nat_amanda. Beware of 2.6.6rc2 kernel that are reported to give some trouble: http://www.mail-archive.com/[EMAIL PROTECTED]/msg26094.html I've not yet verified this. Just a quick note here.. the actual change that broke it were between 2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the amanda nat modules. /Andreas
Re: Amanda Through firewall
Following up on myself...
Paul Bijnens wrote:
Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.
I commented out this block in common-src/security.c
230 /* next, make sure the remote port is a reserved one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr-sin_port) = IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), %d,
ntohs(addr-sin_port));
234 *errstr = vstralloc([,
235 host , remotehost, : ,
236 port , number, not secure,
237 ], NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */
It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.
With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)
Using the standard ip_conntrack module, you have to live with the
standard rather short UDP connection tracking timeout (5 minutes I believe).
For amanda this means that all the estimates must be finished within
that timeframe.
When using the netfilter ip_conntrack_amanda master_timeout=3600
you can increase this timeout as you please.
--
Paul Bijnens, XplanationTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...*
* ... Are you sure? ... YES ... Phew ... I'm out *
***
Re: Amanda Through firewall
Paul Bijnens wrote: Following up on myself... Again :-) Paul Bijnens wrote: Using the standard ip_conntrack module, you have to live with the standard rather short UDP connection tracking timeout (5 minutes I believe). It is 3 minutes. From /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c : #define UDP_TIMEOUT (30*HZ) #define UDP_STREAM_TIMEOUT (180*HZ) The first is for unreplied UDP packets, the second for UDP packets that did get a reply (yes, amanda ACK's the request for estimate before starting the estimate itself). -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * ***
Re: Amanda Through firewall
There is an excellent how-to about this in the Amanda Faq-O-Matic : http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080file=139 HTH Bert De Ridder PeopleWare NV - Head Office Cdt.Weynsstraat 85 B-2660 Hoboken Tel: +32 3 448.33.38 Fax: +32 3 448.32.66 PeopleWare NV - Branch Office Geel Kleinhoefstraat 5 B-2440 Geel Tel: +32 14 57.00.90 Fax: +32 14 58.13.25 http://www.peopleware.be http://www.mobileware.be Kaushal Shriyan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 13/07/2004 06:48 To [EMAIL PROTECTED] cc Subject Amanda Through firewall Can I allow amanda backup server to talk through firewall for accessing amanda client host, Is there any way out Any help -- Regards, Kaushal Shriyan Technical Engineer Red Hat India Pvt. Ltd. Tel : +91-22-22881326/27 Fax : +91-22-22881318
