Re: Yet another Insecure Port ...
From a security perspective, you normally don't want to allow packet fragments. In most cases, turning off packet fragmentation is generally what you want. Why? Well, because some rules can not be properly applied to packet fragments which may create potential security concerns. Greg Jason Hollinden wrote: > The ports that worked best for me were: > > --with-portrange=2064,2320 > --with-udpportrange=830,870 > > Also, some other firewall wierdness I've had (with RedHat6.2's ipchains) > was once in a while a fragmented packet is sent, for whatever reason. > My amanda client's firewall log would show 3 denied packets from the > tape server, with source and destination ports of 65535. > > To get around this, you need a rule that allows fragmented packets, such > as this: > > -A input -s /32 -d /32 -f -j ACCEPT > > > On Wed, 04 Apr 2001, Doug Silver wrote: > >> Brand new build of amanda 2.4.2p2 >> >> server config build: >> /configure --with-gnutar=/usr/local/bin/tar --with-portrange=900,950 >> --with-udpportrange=900,950 (etc) >> >> client config build: >> ./configure --with-gtar=/usr/local/bin/gtar --without-server >> --with-portrange=900,950 --with-udpportrange=900,950 >> >> Server binaries: >> -rwsr-x--- 1 root wheel 68759 Apr 4 15:46 >> /usr/local/libexec/calcsize* >> -rwsr-x--- 1 root wheel 231765 Apr 4 15:47 /usr/local/libexec/dumper* >> -rwsr-x--- 1 root wheel 58227 Apr 4 15:46 >> /usr/local/libexec/killpgrp* >> -rwsr-x--- 1 root wheel 309711 Apr 4 15:47 /usr/local/libexec/planner* >> -rwsr-x--- 1 root wheel 56004 Apr 4 15:46 /usr/local/libexec/rundump* >> -rwsr-x--- 1 root wheel 56761 Apr 4 15:46 /usr/local/libexec/runtar* >> -rwsr-x--- 1 root wheel 322122 Apr 4 15:47 /usr/local/sbin/amcheck* >> >> Client: >> ls: /usr/local/libexec/dumper: No such file or directory >> ls: /usr/local/libexec/planner: No such file or directory >> -rwsr-x--- 1 root wheel 71756 Apr 4 17:22 /usr/local/libexec/calcsize* >> -rwsr-x--- 1 root wheel 62521 Apr 4 17:22 /usr/local/libexec/killpgrp* >> -rwsr-x--- 1 root wheel 60112 Apr 4 17:22 /usr/local/libexec/rundump* >> -rwsr-x--- 1 root wheel 60905 Apr 4 17:22 /usr/local/libexec/runtar* >> >> amcheck -c test >> >> Amanda Backup Client Hosts Check >> >> ERROR: frog.hoop-t.net: [host cat.hoop-t.net: port 62870 not >> secure] >> Client check: 1 host checked in 0.076 seconds, 1 problem found >> >> I'm not seeing any errors through the firewall, so I'm not sure how to >> further debug this. >> >> Any suggestions? Has anyone got Amanda to work using the >> udpportrange/portrange options through a firewall? >> >> Thanks! >> >> ~ >> Doug Silver >> 619 235-2665 >> Quantified Systems, Inc >> ~ >> Here's the client amandad.debug packet stuff: >> sending ack: >> >> Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 >> >> >> amandad: sending REP packet: >> >> Amanda 2.4 REP HANDLE 000-00300D08 SEQ 986430352 >> ERROR [host cat.hoop-t.net: port 62870 not secure] >> >> >> amandad: got packet: >> >> Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 >> >> >> amandad: pid 56308 finish time Wed Apr 4 17:25:53 2001 >> > > > -- >Jason Hollinden > >SMG Systems Admin > -- Greg Copeland, Principal Consultant Copeland Computer Consulting -- PGP/GPG Key at http://www.keyserver.net DE5E 6F1D 0B51 6758 A5D7 7DFE D785 A386 BD11 4FCD --
Re: Yet another Insecure Port ...
The ports that worked best for me were: --with-portrange=2064,2320 --with-udpportrange=830,870 Also, some other firewall wierdness I've had (with RedHat6.2's ipchains) was once in a while a fragmented packet is sent, for whatever reason. My amanda client's firewall log would show 3 denied packets from the tape server, with source and destination ports of 65535. To get around this, you need a rule that allows fragmented packets, such as this: -A input -s /32 -d /32 -f -j ACCEPT On Wed, 04 Apr 2001, Doug Silver wrote: > Brand new build of amanda 2.4.2p2 > > server config build: > /configure --with-gnutar=/usr/local/bin/tar --with-portrange=900,950 > --with-udpportrange=900,950 (etc) > > client config build: > ./configure --with-gtar=/usr/local/bin/gtar --without-server > --with-portrange=900,950 --with-udpportrange=900,950 > > Server binaries: > -rwsr-x--- 1 root wheel 68759 Apr 4 15:46 > /usr/local/libexec/calcsize* > -rwsr-x--- 1 root wheel 231765 Apr 4 15:47 /usr/local/libexec/dumper* > -rwsr-x--- 1 root wheel 58227 Apr 4 15:46 > /usr/local/libexec/killpgrp* > -rwsr-x--- 1 root wheel 309711 Apr 4 15:47 /usr/local/libexec/planner* > -rwsr-x--- 1 root wheel 56004 Apr 4 15:46 /usr/local/libexec/rundump* > -rwsr-x--- 1 root wheel 56761 Apr 4 15:46 /usr/local/libexec/runtar* > -rwsr-x--- 1 root wheel 322122 Apr 4 15:47 /usr/local/sbin/amcheck* > > Client: > ls: /usr/local/libexec/dumper: No such file or directory > ls: /usr/local/libexec/planner: No such file or directory > -rwsr-x--- 1 root wheel 71756 Apr 4 17:22 /usr/local/libexec/calcsize* > -rwsr-x--- 1 root wheel 62521 Apr 4 17:22 /usr/local/libexec/killpgrp* > -rwsr-x--- 1 root wheel 60112 Apr 4 17:22 /usr/local/libexec/rundump* > -rwsr-x--- 1 root wheel 60905 Apr 4 17:22 /usr/local/libexec/runtar* > > amcheck -c test > > Amanda Backup Client Hosts Check > > ERROR: frog.hoop-t.net: [host cat.hoop-t.net: port 62870 not > secure] > Client check: 1 host checked in 0.076 seconds, 1 problem found > > I'm not seeing any errors through the firewall, so I'm not sure how to > further debug this. > > Any suggestions? Has anyone got Amanda to work using the > udpportrange/portrange options through a firewall? > > Thanks! > > ~ > Doug Silver > 619 235-2665 > Quantified Systems, Inc > ~ > Here's the client amandad.debug packet stuff: > sending ack: > > Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 > > > amandad: sending REP packet: > > Amanda 2.4 REP HANDLE 000-00300D08 SEQ 986430352 > ERROR [host cat.hoop-t.net: port 62870 not secure] > > > amandad: got packet: > > Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 > > > amandad: pid 56308 finish time Wed Apr 4 17:25:53 2001 > -- Jason Hollinden SMG Systems Admin
Yet another Insecure Port ...
Brand new build of amanda 2.4.2p2 server config build: /configure --with-gnutar=/usr/local/bin/tar --with-portrange=900,950 --with-udpportrange=900,950 (etc) client config build: ./configure --with-gtar=/usr/local/bin/gtar --without-server --with-portrange=900,950 --with-udpportrange=900,950 Server binaries: -rwsr-x--- 1 root wheel 68759 Apr 4 15:46 /usr/local/libexec/calcsize* -rwsr-x--- 1 root wheel 231765 Apr 4 15:47 /usr/local/libexec/dumper* -rwsr-x--- 1 root wheel 58227 Apr 4 15:46 /usr/local/libexec/killpgrp* -rwsr-x--- 1 root wheel 309711 Apr 4 15:47 /usr/local/libexec/planner* -rwsr-x--- 1 root wheel 56004 Apr 4 15:46 /usr/local/libexec/rundump* -rwsr-x--- 1 root wheel 56761 Apr 4 15:46 /usr/local/libexec/runtar* -rwsr-x--- 1 root wheel 322122 Apr 4 15:47 /usr/local/sbin/amcheck* Client: ls: /usr/local/libexec/dumper: No such file or directory ls: /usr/local/libexec/planner: No such file or directory -rwsr-x--- 1 root wheel 71756 Apr 4 17:22 /usr/local/libexec/calcsize* -rwsr-x--- 1 root wheel 62521 Apr 4 17:22 /usr/local/libexec/killpgrp* -rwsr-x--- 1 root wheel 60112 Apr 4 17:22 /usr/local/libexec/rundump* -rwsr-x--- 1 root wheel 60905 Apr 4 17:22 /usr/local/libexec/runtar* amcheck -c test Amanda Backup Client Hosts Check ERROR: frog.hoop-t.net: [host cat.hoop-t.net: port 62870 not secure] Client check: 1 host checked in 0.076 seconds, 1 problem found I'm not seeing any errors through the firewall, so I'm not sure how to further debug this. Any suggestions? Has anyone got Amanda to work using the udpportrange/portrange options through a firewall? Thanks! ~ Doug Silver 619 235-2665 Quantified Systems, Inc ~ Here's the client amandad.debug packet stuff: sending ack: Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 amandad: sending REP packet: Amanda 2.4 REP HANDLE 000-00300D08 SEQ 986430352 ERROR [host cat.hoop-t.net: port 62870 not secure] amandad: got packet: Amanda 2.4 ACK HANDLE 000-00300D08 SEQ 986430352 amandad: pid 56308 finish time Wed Apr 4 17:25:53 2001
