I've been working on this firewall setup for hours now and may be a bit off in
my logic.
Server A (bender), is located outside the firewall, Server B (fry), is the
firewall, and Server C (homer) is the backup tape server.
tcp port range is 11080-11084
udp port range is 850-854 (all of which are open)
fry masqerades the internal network out to the internet, while blocking
external traffic yada yada yada.
I have tried "ipmasqadm portfw" combinations like forwarding the tcp and udp
port ranges directly from bender to homer as well as using fry as a
intermediate, like forwarding bender to fry and then fry to homer with configs
like this:
ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R homer $tcp_ports
^-- assume $tcp_ports is another line in the rc.firewall for each port.
and
ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R fry $tcp_ports
ipmasqadm portfw -a -P tcp -L fry $tcp_ports -R homer $tcp_ports
which do not work, I have also tried setting up a chain called www-home w/ the
command:
ipchains -A www-home -p tcp --dport 11080:11084 -s bender -d homer -j ACCEPT
ipchains -A www-home -p udp --dport 850:854 -s bender -d homer -j ACCEPT
which ALSO does not work. I do not know if a return port forward for bender to
homer is required over port 10080 for amandad and cannot find much more
information regarding the situtation of amanda through a firewall other than
what is mentioned on the faq-o-matic. I never fail to get this error,
ERROR: bender: [host fry.sistina.com: port 63309 not secure]
with the port changing every time between 61000 and approx. 65000 which I know
is reserved for masquerading. What exactly needs to be forwarded? what ports
need to be opened other than the ports I've reserved? What is causing fry to
masquerade amanda's packets back to the tape server instead of following the
specified ports and routes? Any answers or feedback would be much appreciated
as this seems to be my final step in setting up this backup scheme.
Thanks ahead of time,
--
Thomas J. Hudak
Jr. Systems Administrator
Sistina Software Inc.
Phone: 612.379.3951 Fax: 612.379.3952
PGP signature
