Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 2006-02-20 14:51, Chuck Amadi Systems Administrator wrote: Amanda Backup Client Hosts Check ERROR: server.my.co.uk: [access as amanda not allowed from [EMAIL PROTECTED] co.uk] open of /home/amanda/.amandahosts failed Client check: 4 hosts checked in 10.078 seconds, 1 problem found I created a dir and file /var/lib/amanda/.amandahosts file I have of course not got a /home/amanda/.amandahosts on my fw.my.co.uk server So should I created a user and the necessary dir and files. What is the home directory of the user Amanda? i.e. what is the sixth field in /etc/passwd of that client (not the server!)? So on that client, add the next line to the .amandahosts file: amanda fw.my.co.uk Thus added to .amandahosts file: I haven't create a user amanda or group disk Yet But am I on the right track with this new amacheck error. localhost amanda localhost root server.my.co.uk amanda server.my.co.uk root tape-server.myl.co.uk amanda tape-server.my.co.uk root See also: http://wiki.zmanda.com/index.php/Amcheck:_access_as_localuser_not_allowed_from_remoteuser%40remotehost -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi Paul
[EMAIL PROTECTED]:/root> /usr/sbin/amcheck DailySet1
Amanda Tape Server Host Check
-
Holding disk /backup/amanda-daily: 5216316 KB disk space available,
that's plent
y
NOTE: skipping tape-writable test
Tape SMTLSet102 label ok
WARNING: info
file /var/lib/amanda/DailySet1/curinfo/server.my.co.uk/_/inf
o: does not exist
Server check took 8.838 seconds
Amanda Backup Client Hosts Check
ERROR: server.my.co.uk: [access as amanda not allowed from [EMAIL PROTECTED]
co.uk] open of /home/amanda/.amandahosts failed
Client check: 4 hosts checked in 10.078 seconds, 1 problem found
I created a dir and file /var/lib/amanda/.amandahosts file I have of
course not got a /home/amanda/.amandahosts on my fw.my.co.uk server So
should I created a user and the necessary dir and files.
Thus added to .amandahosts file:
I haven't create a user amanda or group disk Yet But am I on the right
track with this new amacheck error.
localhost amanda
localhost root
server.my.co.uk amanda
server.my.co.uk root
tape-server.myl.co.uk amanda
tape-server.my.co.uk root
Cheers Paul and List.
On Mon, 2006-02-20 at 12:33 +0100, Paul Bijnens wrote:
> On 2006-02-20 12:29, Paul Bijnens wrote:
> On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> >
> > You find this section:
> >
> > 229
> > 230 /* next, make sure the remote port is a "reserved" one */
> > 231
> > 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> > 233 ap_snprintf(number, sizeof(number), "%d",
> > ntohs(addr->sin_port));
> > 234 *errstr = vstralloc("[",
> > 235 "host ", remotehost, ": ",
> > 236 "port ", number, " not secure",
> > 237 "]", NULL);
> > 238 amfree(remotehost);
> > 239 return 0;
> > 240 }
> >
> > and make test test succeed always, by changing line 232:
> >
> > 232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> >
> >
> > i.e. add the "1 ||" string to the if statement.
>
> Oops, that should have been: "0 &&" , not "1 ||".
> The ideas is to make this always fail, not always succeed.
>
>
>
> PS. btw, any mail to "[EMAIL PROTECTED]" bounces!
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 2006-02-20 12:29, Paul Bijnens wrote:
On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
You find this section:
229
230 /* next, make sure the remote port is a "reserved" one */
231
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
and make test test succeed always, by changing line 232:
232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
i.e. add the "1 ||" string to the if statement.
Oops, that should have been: "0 &&" , not "1 ||".
The ideas is to make this always fail, not always succeed.
PS. btw, any mail to "[EMAIL PROTECTED]" bounces!
--
Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 2006-02-20 12:12, Chuck Amadi Systems Administrator wrote:
Hi Paul
I just want my server that is the other side of my Lan which of cause is
where the tape server resides which is separated by my ipchains
firewall. To allow responses from the server through the firewall to my
tape server.
I have re compiled with the UDP and TCP portrange switch and edit the
common-src/security.c file with the "1 ||" within line 232 if statement.
When I run tcpdump port 10080 on the server and then in another window
on the tape server amcheck DailySet1 I see on the server that insecure
port >6 is still being used and not the one I defined when I re
compiled amanda client using port range and commn-src/security.c file.
Of course that is expected: the Network Address Translation in the
firewall changes your restricted udp-range to a port range > 6.
But the "1 ||" string that you added in line 232, makes this not
a fatal error. Now the client should accept such a port, even if the
source port seems to be insecure.
So, explain me again, what is wrong now.
If you still have a client complaining about a non-secure port, then
you had a problem with recompiling that client software.
Any other suggestions other than migrating the firewall to iptable which
I will don eventually after a lot of other things on my to do list.
Cheers
On Fri, 2006-02-17 at 13:26 +0100, Paul Bijnens wrote:
On 2006-02-17 13:23, Chuck Amadi Systems Administrator wrote:
As you stated it's still forking to the firewall ipnumber and not the
tape server.
("...forking..." ???I'm afraid I don't understand that word in
this context...)
Yes, as expected, the client sees the request coming from the
NAT-firewall itself, but is that a problem?
Cheers for your help
On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
Hi List sorry for the continuous cries for help.
Regarding Amanda and ipchains rules it didn't work Amanda client on server was
still
forking to secure ports that weren't in my udp range. I run tcpdump
port 10080 on server.
ERROR [host firewall.my.co.uk: port 64524 not secure]
So the firewall does NAT (that is why, from the client's point of view,
the ipnumber is the firewall itself, and not the amanda server, and the
portnumber is >6).
So, as already said, you should patch the client amanda software only
for that host (i.e. no need to install that version on any other machine
or amanda server), to disable the check for a udp source port < 1024:
For amanda 2.4.5p1, edit the file common-src/security.c:
You find this section:
229
230 /* next, make sure the remote port is a "reserved" one */
231
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
and make test test succeed always, by changing line 232:
232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
i.e. add the "1 ||" string to the if statement.
--
Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi Paul
I just want my server that is the other side of my Lan which of cause is
where the tape server resides which is separated by my ipchains
firewall. To allow responses from the server through the firewall to my
tape server.
I have re compiled with the UDP and TCP portrange switch and edit the
common-src/security.c file with the "1 ||" within line 232 if statement.
When I run tcpdump port 10080 on the server and then in another window
on the tape server amcheck DailySet1 I see on the server that insecure
port >6 is still being used and not the one I defined when I re
compiled amanda client using port range and commn-src/security.c file.
Any other suggestions other than migrating the firewall to iptable which
I will don eventually after a lot of other things on my to do list.
Cheers
On Fri, 2006-02-17 at 13:26 +0100, Paul Bijnens wrote:
> On 2006-02-17 13:23, Chuck Amadi Systems Administrator wrote:
> >
> > As you stated it's still forking to the firewall ipnumber and not the
> > tape server.
>
> ("...forking..." ???I'm afraid I don't understand that word in
> this context...)
>
> Yes, as expected, the client sees the request coming from the
> NAT-firewall itself, but is that a problem?
>
>
>
>
> >
> > Cheers for your help
> >
> >
> >
> >
> >
> > On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> >> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> >>> Hi List sorry for the continuous cries for help.
> >>>
> >>> Regarding Amanda and ipchains rules it didn't work Amanda client on
> >>> server was still
> >>> forking to secure ports that weren't in my udp range. I run tcpdump
> >>> port 10080 on server.
> >>> ERROR [host firewall.my.co.uk: port 64524 not secure]
> >> So the firewall does NAT (that is why, from the client's point of view,
> >> the ipnumber is the firewall itself, and not the amanda server, and the
> >> portnumber is >6).
> >>
> >> So, as already said, you should patch the client amanda software only
> >> for that host (i.e. no need to install that version on any other machine
> >> or amanda server), to disable the check for a udp source port < 1024:
> >>
> >> For amanda 2.4.5p1, edit the file common-src/security.c:
> >>
> >> You find this section:
> >>
> >> 229
> >> 230 /* next, make sure the remote port is a "reserved" one */
> >> 231
> >> 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> >> 233 ap_snprintf(number, sizeof(number), "%d",
> >> ntohs(addr->sin_port));
> >> 234 *errstr = vstralloc("[",
> >> 235 "host ", remotehost, ": ",
> >> 236 "port ", number, " not secure",
> >> 237 "]", NULL);
> >> 238 amfree(remotehost);
> >> 239 return 0;
> >> 240 }
> >>
> >> and make test test succeed always, by changing line 232:
> >>
> >> 232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> >>
> >>
> >> i.e. add the "1 ||" string to the if statement.
> >>
>
>
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi Paul
Nah still getting ipnumber of the firewall not tape server.
# tcpdump port 10080
tcpdump: listening on eth0
13:37:12.636083 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)
13:37:22.740457 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)
13:37:32.800639 firewall.my.co.uk.62374 > server.my.co.uk.amanda: udp
117 (DF)
Thus DF means packets are still fragmented and not getting through.
Any other ideas.
Cheers for your help
Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> > Hi List sorry for the continuous cries for help.
> >
> > Regarding Amanda and ipchains rules it didn't work Amanda client on server
> > was still
> > forking to secure ports that weren't in my udp range. I run tcpdump
> > port 10080 on server.
>
> > ERROR [host firewall.my.co.uk: port 64524 not secure]
>
> So the firewall does NAT (that is why, from the client's point of view,
> the ipnumber is the firewall itself, and not the amanda server, and the
> portnumber is >6).
>
> So, as already said, you should patch the client amanda software only
> for that host (i.e. no need to install that version on any other machine
> or amanda server), to disable the check for a udp source port < 1024:
>
> For amanda 2.4.5p1, edit the file common-src/security.c:
>
> You find this section:
>
> 229
> 230 /* next, make sure the remote port is a "reserved" one */
> 231
> 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> 233 ap_snprintf(number, sizeof(number), "%d",
> ntohs(addr->sin_port));
> 234 *errstr = vstralloc("[",
> 235 "host ", remotehost, ": ",
> 236 "port ", number, " not secure",
> 237 "]", NULL);
> 238 amfree(remotehost);
> 239 return 0;
> 240 }
>
> and make test test succeed always, by changing line 232:
>
> 232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
>
>
> i.e. add the "1 ||" string to the if statement.
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 2006-02-17 13:23, Chuck Amadi Systems Administrator wrote:
As you stated it's still forking to the firewall ipnumber and not the
tape server.
("...forking..." ???I'm afraid I don't understand that word in
this context...)
Yes, as expected, the client sees the request coming from the
NAT-firewall itself, but is that a problem?
Cheers for your help
On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
Hi List sorry for the continuous cries for help.
Regarding Amanda and ipchains rules it didn't work Amanda client on server was
still
forking to secure ports that weren't in my udp range. I run tcpdump
port 10080 on server.
ERROR [host firewall.my.co.uk: port 64524 not secure]
So the firewall does NAT (that is why, from the client's point of view,
the ipnumber is the firewall itself, and not the amanda server, and the
portnumber is >6).
So, as already said, you should patch the client amanda software only
for that host (i.e. no need to install that version on any other machine
or amanda server), to disable the check for a udp source port < 1024:
For amanda 2.4.5p1, edit the file common-src/security.c:
You find this section:
229
230 /* next, make sure the remote port is a "reserved" one */
231
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
and make test test succeed always, by changing line 232:
232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
i.e. add the "1 ||" string to the if statement.
--
Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi Paul
I'm running 2.4.4p2 on my amanda clients and tape server.
Anyway the file exists in my version,rin make clean > I edited the
common-src/security.c file and added "1 ||" string to the if statement
to line 232.
Thus run make > make clean > make install and run on my server client
that sits on the other side of Firewall.
./configure --with-user=amanda --with-group=disk
--with-configdir=/etc/amanda --with-uspportrange=11000,111030
--with-tcpportrange=11000,11030
Thus tcpdump port 10080 on the amanda client and run amcheck Config on
the tape server.
As you stated it's still forking to the firewall ipnumber and not the
tape server.
Cheers for your help
On Thu, 2006-02-16 at 17:52 +0100, Paul Bijnens wrote:
> On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
> > Hi List sorry for the continuous cries for help.
> >
> > Regarding Amanda and ipchains rules it didn't work Amanda client on server
> > was still
> > forking to secure ports that weren't in my udp range. I run tcpdump
> > port 10080 on server.
>
> > ERROR [host firewall.my.co.uk: port 64524 not secure]
>
> So the firewall does NAT (that is why, from the client's point of view,
> the ipnumber is the firewall itself, and not the amanda server, and the
> portnumber is >6).
>
> So, as already said, you should patch the client amanda software only
> for that host (i.e. no need to install that version on any other machine
> or amanda server), to disable the check for a udp source port < 1024:
>
> For amanda 2.4.5p1, edit the file common-src/security.c:
>
> You find this section:
>
> 229
> 230 /* next, make sure the remote port is a "reserved" one */
> 231
> 232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
> 233 ap_snprintf(number, sizeof(number), "%d",
> ntohs(addr->sin_port));
> 234 *errstr = vstralloc("[",
> 235 "host ", remotehost, ": ",
> 236 "port ", number, " not secure",
> 237 "]", NULL);
> 238 amfree(remotehost);
> 239 return 0;
> 240 }
>
> and make test test succeed always, by changing line 232:
>
> 232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
>
>
> i.e. add the "1 ||" string to the if statement.
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 02/16/2006 05:02 PM, Chuck Amadi Systems Administrator wrote:
Hi List sorry for the continuous cries for help.
Regarding Amanda and ipchains rules it didn't work Amanda client on server was
still
forking to secure ports that weren't in my udp range. I run tcpdump
port 10080 on server.
ERROR [host firewall.my.co.uk: port 64524 not secure]
So the firewall does NAT (that is why, from the client's point of view,
the ipnumber is the firewall itself, and not the amanda server, and the
portnumber is >6).
So, as already said, you should patch the client amanda software only
for that host (i.e. no need to install that version on any other machine
or amanda server), to disable the check for a udp source port < 1024:
For amanda 2.4.5p1, edit the file common-src/security.c:
You find this section:
229
230 /* next, make sure the remote port is a "reserved" one */
231
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
and make test test succeed always, by changing line 232:
232 if(1 || ntohs(addr->sin_port) >= IPPORT_RESERVED) {
i.e. add the "1 ||" string to the if statement.
--
Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512
http://www.xplanation.com/ email: [EMAIL PROTECTED]
***
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***
Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi List sorry for the continuous cries for help. Regarding Amanda and ipchains rules it didn't work Amanda client on server was still forking to secure ports that weren't in my udp range. I run tcpdump port 10080 on server. Then run /usr/sbin/amcheck DailySet1 on tape-server tape server. server output below: tcpdump: listening on eth0 16:41:14.529918 firewall.my.co.uk.64524 > server.my.co.uk.amanda: udp 117 (DF) 16:41:14.537221 server.my.co.uk.amanda > firewall.my.co.uk.64524: udp 50 (DF) 16:41:14.543520 server.my.co.uk.amanda > firewall.my.co.uk.64524: udp 100 (DF) Thus on server less /tmp/amanda/amandad.20060216164114.debug Amanda 2.4 REQ HANDLE 003-D0990808 SEQ 1140104146 SECURITY USER amanda SERVICE noop OPTIONS features=feff9ffe0f; amandad: time 0.000: sending ack: Amanda 2.4 ACK HANDLE 003-D0990808 SEQ 1140104146 amandad: time 0.006: sending REP packet: Amanda 2.4 REP HANDLE 003-D0990808 SEQ 1140104146 ERROR [host firewall.my.co.uk: port 64524 not secure] It should have forked to the ports in udp port range that I had compiled with the switch --with-udpportrange=1001,1009 . I am still trouble shooting and awaiting info on mailing list. I had edit my firewall and added the following ipchain rules Outgoing mail has no restrictions. 1001 and 1009 is what I used for the udp port range and I use 11000 11030 for tcp port range I am led to believe that this doesn't cause any isses with the ussally amanda ports 10080,10082 and 10083. ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.xx.xx.xxx 1001:1009 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.xx.xx.xxx 10080:10083 -j ACCEPT Any other tips in order to get through the firewall until one day move to iptables. Cheers -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 02/16/2006 01:39 PM, Chuck Amadi Systems Administrator wrote: Yesterday Someone posted a amadmin command to egrep --with-udpportrange=, So I can check my tape server. Please could you resend the amadmin ConfigName | egrep -i --with-udpportrange=1001,1009 something like that thx. amadmin x version | grep configure without "grep" for more information... I also run the tcpdump port 10080 on the amanda client and then on the amanda tape server on amcheck ConfigName and I could see that the port on my main tape server was 957 which is privileged port. The port was not 1001, 1009 on the amanda tape server. Which seems to imply that another program than then one you compiled was run... But even it would be the right program, the other side sees the packets coming from some port > 6, even if it the source port was 1001 instead of 957. Which is a NAT problem on the firewall, which cannot be solved by recompiling with a stricter udp range. -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi
Yesterday Someone posted a amadmin command to egrep
--with-udpportrange=,
So I can check my tape server.
Please could you resend the amadmin ConfigName | egrep -i
--with-udpportrange=1001,1009
something like that thx.
amadmin {} ...
I also run the tcpdump port 10080 on the amanda client and then on the
amanda tape server on amcheck ConfigName and I could see that the port
on my main tape server was 957 which is privileged port.
The port was not 1001, 1009 on the amanda tape server.
Cheers
On Tue, 2006-02-14 at 17:19 +0100, Paul Bijnens wrote:
> On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote:
> >
> > I have just edited my firewall and added a ipchain rule but I still got
> > an error as below:
> >
> > Amanda Backup Client Hosts Check
> >
> > ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure]
>
>
> This seems to be a result of the NAT in ipchains:
> it changes the source port to someting over 6.
>
> However, why is the name "fw.smtl.co.uk"? I did not know that
> ipchains used uses NAT for traffic to the firewall itself too?
> Make really really sure that the amandaserver does bind to a port
> from the udp-port range:
>In one window start as root:
># tcpdump port 10080
>
>In another window, to the "amcheck".
> And verify the that port on the amandaserver is one from 1001-1009.
> This could also happen when amcheck lost the suid root bit
> (but I believe that it would complain about that before you get
> that far).
>
> A possible workaround here is to recompile the
> software on the client to not fail on a "non secure" port.
>
> That notion of "secure port" (ports < 1024 require root
> priviledge to open), is in these days not a strong
> security check anyway, where anyone can install a workstation
> or boot from a live-CD and be root to open any port < 1024.
>
>
> > I have setup my fw rules as below:
> >
> > # Amanda Client - Enterprise random udp forks to Nemesis Server
> >
> > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
> > 1001:1009 -j ACCEPT
> >
> > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX
> > 10080:10083 -j ACCEPT
> >
> > Outgoing packets are allowed from behind our firewall and all forwaded
> > to our main file server that is the same server for amanda backup tape
> > server
>
>
> I do not remember anymore, but maybe there is a possibility
> to not do NAT for a certain portrange/host ?
>
>
> >
> > I re compiled amanda client as below:
> >
> > ./configure --with-user=amanda --with-group=disk
> > --with-configdir=/etc/amanda --with-udpportrange=1001, 1009
> > --with-tcpportrange=11000, 11300
>
>
--
Unix/ Linux Systems Administrator
Chuck Amadi
The Surgical Material Testing Laboratory (SMTL),
Princess of Wales Hospital
Coity Road
Bridgend,
United Kingdom, CF31 1RQ.
Email chuck.smtl.co.uk
Tel: +44 1656 752820
Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Paul Bijnens wrote: On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote: I have just edited my firewall and added a ipchain rule but I still got an error as below: Amanda Backup Client Hosts Check ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] This seems to be a result of the NAT in ipchains: it changes the source port to someting over 6. Here is my take on the scenario: let's concentrate on the amdump part for the time being. 1) your Amanda Backup server is a package from SuSE, cannot be recompiled. So first you need to find out if --with-udpportrange is compiled in with the SuSE package. To find out, do: amadmin configname version |grep --with-udpportrange If --with-udpportrange is compiled in, you need to make sure the Amanda Backup server can use those ports to connect to the Amanda Backup client. >> ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] this indicates that the server is trying to connect to the client using udp port 62679. 2) there could be a NAT issue, but we need to resolve 1) first. --Kevin However, why is the name "fw.smtl.co.uk"? I did not know that ipchains used uses NAT for traffic to the firewall itself too? Make really really sure that the amandaserver does bind to a port from the udp-port range: In one window start as root: # tcpdump port 10080 In another window, to the "amcheck". And verify the that port on the amandaserver is one from 1001-1009. This could also happen when amcheck lost the suid root bit (but I believe that it would complain about that before you get that far). A possible workaround here is to recompile the software on the client to not fail on a "non secure" port. That notion of "secure port" (ports < 1024 require root priviledge to open), is in these days not a strong security check anyway, where anyone can install a workstation or boot from a live-CD and be root to open any port < 1024. I have setup my fw rules as below: # Amanda Client - Enterprise random udp forks to Nemesis Server ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 1001:1009 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 10080:10083 -j ACCEPT Outgoing packets are allowed from behind our firewall and all forwaded to our main file server that is the same server for amanda backup tape server I do not remember anymore, but maybe there is a possibility to not do NAT for a certain portrange/host ? I re compiled amanda client as below: ./configure --with-user=amanda --with-group=disk --with-configdir=/etc/amanda --with-udpportrange=1001, 1009 --with-tcpportrange=11000, 11300 -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
On 02/14/2006 04:56 PM, Chuck Amadi Systems Administrator wrote: I have just edited my firewall and added a ipchain rule but I still got an error as below: Amanda Backup Client Hosts Check ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] This seems to be a result of the NAT in ipchains: it changes the source port to someting over 6. However, why is the name "fw.smtl.co.uk"? I did not know that ipchains used uses NAT for traffic to the firewall itself too? Make really really sure that the amandaserver does bind to a port from the udp-port range: In one window start as root: # tcpdump port 10080 In another window, to the "amcheck". And verify the that port on the amandaserver is one from 1001-1009. This could also happen when amcheck lost the suid root bit (but I believe that it would complain about that before you get that far). A possible workaround here is to recompile the software on the client to not fail on a "non secure" port. That notion of "secure port" (ports < 1024 require root priviledge to open), is in these days not a strong security check anyway, where anyone can install a workstation or boot from a live-CD and be root to open any port < 1024. I have setup my fw rules as below: # Amanda Client - Enterprise random udp forks to Nemesis Server ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 1001:1009 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 10080:10083 -j ACCEPT Outgoing packets are allowed from behind our firewall and all forwaded to our main file server that is the same server for amanda backup tape server I do not remember anymore, but maybe there is a possibility to not do NAT for a certain portrange/host ? I re compiled amanda client as below: ./configure --with-user=amanda --with-group=disk --with-configdir=/etc/amanda --with-udpportrange=1001, 1009 --with-tcpportrange=11000, 11300 -- Paul Bijnens, xplanation Technology ServicesTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi List I would like to mention that the selected port range udp 1001,1009 and tcp 11000,11300 have only been re compiled on the Amanda client, thus I haven't been opened on both amanda client and amanda server ends of the firewall. I didn't want to re compile a productive amanda tape server plus I used the default software within SuSE Linux Enterprise Server 9. So if I have to open the selected port range on the amanda tape server can I just edit /etc/services and add the 1001 and 1009 systems privileged ports. or have I got to run the --with-udpportrange=1001,1009 thus having to start from scratch which is not really feasible. amanda 1001/udp # Amanda amanda 1009/udp # Amanda Cheers On Tue, 2006-02-14 at 15:56 +, Chuck Amadi Systems Administrator wrote: > Hi all > > I have just edited my firewall and added a ipchain rule but I still got > an error as below: > > Amanda Backup Client Hosts Check > > ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] > Client check: 4 hosts checked in 10.780 seconds, 1 problem found > > Here is also my Amanda Debug file: > less /tmp/amanda/amandad.20060214163540.debug > > Amanda 2.4 REQ HANDLE 003-D0990808 SEQ 1139931009 > SECURITY USER amanda > SERVICE noop > OPTIONS features=ecfffeff9ffe0f; > > > amandad: time 0.000: sending ack: > > Amanda 2.4 ACK HANDLE 003-D0990808 SEQ 1139931009 > > > amandad: time 0.006: sending REP packet: > > Amanda 2.4 REP HANDLE 003-D0990808 SEQ 1139931009 > ERROR [host fw.my.co.uk: port 62679 not secure] > > > amandad: time 0.007: got packet: > > Amanda 2.4 ACK HANDLE 003-D0990808 SEQ 1139931009 > > > I have setup my fw rules as below: > > # Amanda Client - Enterprise random udp forks to Nemesis Server > > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX > 1001:1009 -j ACCEPT > > ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX > 10080:10083 -j ACCEPT > > Outgoing packets are allowed from behind our firewall and all forwaded > to our main file server that is the same server for amanda backup tape > server > > I re compiled amanda client as below: > > ./configure --with-user=amanda --with-group=disk > --with-configdir=/etc/amanda --with-udpportrange=1001, 1009 > --with-tcpportrange=11000, 11300 > > I haven't edited the /etc/services as I had read this does not effect > initial UDP request made from the amanda tape server. > > I have read and digested learnt a few things but I am still having > issues using Amanda between hosts separated by a firewall using > ipchains. > > Cheers for your help. > > > -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830
Re: Still get ERROR [host fw.my.co.uk: port 62679 not secure] after I added my ipchain rule:
Hi all I have just edited my firewall and added a ipchain rule but I still got an error as below: Amanda Backup Client Hosts Check ERROR: server.my.co.uk: [host fw.smtl.co.uk: port 62679 not secure] Client check: 4 hosts checked in 10.780 seconds, 1 problem found Here is also my Amanda Debug file: less /tmp/amanda/amandad.20060214163540.debug Amanda 2.4 REQ HANDLE 003-D0990808 SEQ 1139931009 SECURITY USER amanda SERVICE noop OPTIONS features=ecfffeff9ffe0f; amandad: time 0.000: sending ack: Amanda 2.4 ACK HANDLE 003-D0990808 SEQ 1139931009 amandad: time 0.006: sending REP packet: Amanda 2.4 REP HANDLE 003-D0990808 SEQ 1139931009 ERROR [host fw.my.co.uk: port 62679 not secure] amandad: time 0.007: got packet: Amanda 2.4 ACK HANDLE 003-D0990808 SEQ 1139931009 I have setup my fw rules as below: # Amanda Client - Enterprise random udp forks to Nemesis Server ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 1001:1009 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp -s 193.XX.XX.XXX 10080:10083 -j ACCEPT Outgoing packets are allowed from behind our firewall and all forwaded to our main file server that is the same server for amanda backup tape server I re compiled amanda client as below: ./configure --with-user=amanda --with-group=disk --with-configdir=/etc/amanda --with-udpportrange=1001, 1009 --with-tcpportrange=11000, 11300 I haven't edited the /etc/services as I had read this does not effect initial UDP request made from the amanda tape server. I have read and digested learnt a few things but I am still having issues using Amanda between hosts separated by a firewall using ipchains. Cheers for your help. -- Unix/ Linux Systems Administrator Chuck Amadi The Surgical Material Testing Laboratory (SMTL), Princess of Wales Hospital Coity Road Bridgend, United Kingdom, CF31 1RQ. Email chuck.smtl.co.uk Tel: +44 1656 752820 Fax: +44 1656 752830
