RE: Which ports to open in which direction...
> > http://wiki.zmanda.com/index.php/Configuration_with_iptables > > How does the ip_conntrack_amanda kernel module fits in here? > I think that just using that module simplifies a lot of the setup. > > I'm not sure sure it handles amrecover connections though... Oh! Well... I never even noticed that this existed. I'll look into that. Indeed, that does seem a lot simpler. Thanks for pointing this out!
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables How does the ip_conntrack_amanda kernel module fits in here? I think that just using that module simplifies a lot of the setup. I'm not sure sure it handles amrecover connections though... Oh! Well... I never even noticed that this existed. I'll look into that. Indeed, that does seem a lot simpler. A description of a configuration without that kernel module is still handy too. There were bugs in several versions of that kernel module making it unusable. And some people could base their settings of a non iptables firewall (FW1 etc) on this description. And, not using it myself, a positive feedback that it can handle all the situations is good: - server behind firewall, client in dmz, client on the internet - server behind NAT, client behind NAT, both behind NAT - amrecover in all the situations above Even with ip_conntrack_amanda you need to be sure to have some ports allowed too: from server to client udp 10080 at least! From client to server, TCP port 10082 10083 is also needed for amrecover I think. -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Which ports to open in which direction...
On Tue, Dec 06, 2005 at 10:01:37AM +0100, Paul Bijnens enlightened us: > David Leangen wrote: > > > > http://wiki.zmanda.com/index.php/Configuration_with_iptables > > How does the ip_conntrack_amanda kernel module fits in here? > I think that just using that module simplifies a lot of the setup. > > I'm not sure sure it handles amrecover connections though... I just ran amrecover from a client outside my firewall with ip_conntrack_amanda handling everything just fine. Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables How does the ip_conntrack_amanda kernel module fits in here? I think that just using that module simplifies a lot of the setup. I'm not sure sure it handles amrecover connections though... -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * ***
Re: Which ports to open in which direction...
David Leangen wrote:
does your current setup work for you? I guess it should work
most of the time. In your case, it'll fail when it couldn't find an
open port in tcp 5:50100 or in udp 700:710.
Actually, I haven't yet had time to see this through all the way. I was
hoping that the docs would be clear about which ports I need to open (and
only which ports), but I find I'm a bit confused...
I was hoping for some clarification, and I thought the wiki page would be
the best instrument to do this so that others may profit.
In any case, I have no problems with my local connections, but I need to
figure out which ports to open for my remote connections.
This is as far as my understanding goes. Think you could clarify the rest of
the process for me?
IP Traffic
Waiting state:
RHost listens on 10080/udp
FWHost listens on 10080/udp
LHost listens on 10080/udp
TSHost listens on 10080/udp
amdump process begins:
TSHost sends request to RHost on port 10080/udp (via FWHost)
TSHost sends request to FWHost on port 10080/udp
TSHost sends request to LHost on port 10080/udp
TSHost sends request to localhost on port 10080/udp
amandad process begins on each client:
xHost accepts request on 10080/upd
xHost replies to TSHost on a port in --with-tcpportrange
The above is taken from the wiki page:
http://wiki.zmanda.com/index.php/Configuration_with_iptables
What happens after each host replies to the tape server host over
{--with-tcpportrange}? Or is that all?
that should be it for backing up if the ports within tcpportrange can be
found. Otherwise, it's currently subjected to the [*] below.
Then for amrecover, it needs privileged (< 1024) TCP ports for
communication to the server. That could be why amrecover is problmatic
in firewall environment. It uses up to 3 ports.
I am working on changing -with-tcpportrange, -with-updportrange to be
configurable in amanda.conf. I likely need to split them into three
categories:
udp_privileged_port_range
tcp_privileged_port_range {new}
tcp_normal_port_range
Will update with more information soon.
[*]Currently, amanda will try the tcpportrange/udpportrange first. If it
couldn't find an open port in that range, it will try to get ANY open
port. In this case, it will fail in your firewall setup.
--
Thank you!
Kevin Till
Amanda documentation: http://wiki.zmanda.com
Amanda forums:http://forums.zmanda.com
RE: Which ports to open in which direction...
Hello, Kevin,
> does your current setup work for you? I guess it should work
> most of the time. In your case, it'll fail when it couldn't find an
> open port in tcp 5:50100 or in udp 700:710.
Actually, I haven't yet had time to see this through all the way. I was
hoping that the docs would be clear about which ports I need to open (and
only which ports), but I find I'm a bit confused...
I was hoping for some clarification, and I thought the wiki page would be
the best instrument to do this so that others may profit.
In any case, I have no problems with my local connections, but I need to
figure out which ports to open for my remote connections.
This is as far as my understanding goes. Think you could clarify the rest of
the process for me?
IP Traffic
Waiting state:
RHost listens on 10080/udp
FWHost listens on 10080/udp
LHost listens on 10080/udp
TSHost listens on 10080/udp
amdump process begins:
TSHost sends request to RHost on port 10080/udp (via FWHost)
TSHost sends request to FWHost on port 10080/udp
TSHost sends request to LHost on port 10080/udp
TSHost sends request to localhost on port 10080/udp
amandad process begins on each client:
xHost accepts request on 10080/upd
xHost replies to TSHost on a port in --with-tcpportrange
The above is taken from the wiki page:
http://wiki.zmanda.com/index.php/Configuration_with_iptables
What happens after each host replies to the tape server host over
{--with-tcpportrange}? Or is that all? There are other ports mentioned in
the docs, but I don't yet see the connection (no pun intended) with all
this.
> Currently, amanda will try the tcpportrange/udpportrange first. If it
> couldn't find an open port in that range, it will try to get ANY open
> port. In this case, it will fail in your firewall setup.
Oh, didn't know that...
Cheers,
Dave
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables Hi Dave, does your current setup work for you? I guess it should work most of the time. In your case, it'll fail when it couldn't find an open port in tcp 5:50100 or in udp 700:710. Currently, amanda will try the tcpportrange/udpportrange first. If it couldn't find an open port in that range, it will try to get ANY open port. In this case, it will fail in your firewall setup. I'm working to correct this mis-behavior. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Which ports to open in which direction...
David Leangen wrote: http://wiki.zmanda.com/index.php/Configuration_with_iptables Hi Dave, does your current setup work for you? I guess it should work most of the time. In your case, it'll fail when it couldn't find an open port in tcp 5:50100 or in udp 700:710. Currently, amanda will try the tcpportrange/udpportrange first. If it couldn't find an open port in that range, it will try to get ANY open port. In this case, it will fail in your firewall setup. I'm working to correct this mis-behavior. -- Thank you! Kevin Till Amanda documentation: http://wiki.zmanda.com Amanda forums:http://forums.zmanda.com
Re: Which ports to open in which direction...
Thanks, David for starting the section on wiki.zmanda.com. Kevin Till (cc'ed in the email) is also working to document port usage in Amanda. Paddy On 12/1/05, David Leangen <[EMAIL PROTECTED]> wrote: > > Thanks! > > > There is a document called PORT.USAGE. Available in the source > > "docs" directory or at amanda.org. > > Actually, the precise URL is: > > http://www.amanda.org/docs/portusage.html > > > Ok, well, I've tried to decipher the doc, but I'm not quite sure about a > few things. > > I started writing a simplified doc on the wiki for people who need to > set up a network like mine. > > http://wiki.zmanda.com/index.php/Configuration_with_iptables > > > It would be really great to get a little advice on how the traffic is > passed around. I read the doc, but it's still a bit unclear to me. The > page above says which program uses what port, but there seem to be a few > holes that require more research. > > > If anybody is interested in editing this article on the wiki, please do > so! I think (hope) that this doc could be useful for others, too. > > > Thank you! > Dave > > > > > -- Amanda documentation: http://wiki.zmanda.com Amanda forums: http://forums.zmanda.com
Re: Which ports to open in which direction...
Thanks! > There is a document called PORT.USAGE. Available in the source > "docs" directory or at amanda.org. Actually, the precise URL is: http://www.amanda.org/docs/portusage.html Ok, well, I've tried to decipher the doc, but I'm not quite sure about a few things. I started writing a simplified doc on the wiki for people who need to set up a network like mine. http://wiki.zmanda.com/index.php/Configuration_with_iptables It would be really great to get a little advice on how the traffic is passed around. I read the doc, but it's still a bit unclear to me. The page above says which program uses what port, but there seem to be a few holes that require more research. If anybody is interested in editing this article on the wiki, please do so! I think (hope) that this doc could be useful for others, too. Thank you! Dave
Re: Which ports to open in which direction...
On Tue, Nov 29, 2005 at 05:54:19PM +0900, David Leangen wrote: > > Hello! > > I'm having some trouble getting data from a remote host. Amanda works > fine on the local network, just not remotely. > > I believe that the problem is due to my firewall, so I'm hoping that > somebody can explain which ports need to be opened in which direction > (unless there is doc somewhere that I missed). There is a document called PORT.USAGE. Available in the source "docs" directory or at amanda.org. -- Jon H. LaBadie [EMAIL PROTECTED] JG Computing 4455 Province Line Road(609) 252-0159 Princeton, NJ 08540-4322 (609) 683-7220 (fax)
Which ports to open in which direction...
Hello! I'm having some trouble getting data from a remote host. Amanda works fine on the local network, just not remotely. I believe that the problem is due to my firewall, so I'm hoping that somebody can explain which ports need to be opened in which direction (unless there is doc somewhere that I missed). Relevant ports are: 10080/udp 10082/tcp 10083/tcp 5:50100/tcp 700:710/udp I have 3 machines: - firewall - tapehost - remote Is this assumption correct? tapehost(10080) --> firewall --> remote remote(5:50100,700:710) --> firewall --> tapehost Is that all I need? Or am I missing something? The reason I need to know is because I also have local hosts, so I need to use NAT to get this right... Thanks for the tip! Dave
