Isn't this a bit off-topic for amanda-users?
On Thu, Nov 30, 2000 at 11:37:13AM -0500, Bort, Paul wrote:
> I have never figured out how to convince IP Masquerading to not masquerade
> some traffic.
>
> The thought that just occurred to me would be to add another IP address to
> the firewall's inside adapter, and then tell ipchains to only jump to
> masquerading for the original address.
>
> Then you would add port forwarding from the new address to the server
> outside the firewall.
>
> So, if you numbered things like this:
>
> bender: 200.200.200.1
>
> fry: eth0: 200.200.200.2
> eth1: 192.168.1.1
>
> homer: 192.168.1.10
>
> you would need to do something like this on fry:
>
> ifconfig eth1:1 192.168.1.2 up
> ipchains -a input -s 192.168.1.2 -d 200.200.200.1 -j ACCEPT
> ipmasqadm portfw -a -p TCP -L 192.168.1.2 $tcp_port -R 200.200.200.1
> $tcp_port
>
> I haven't tested this configuration, can't be responsible if your server
> sprouts demons or daffodils, etc...
>
> But it is my best guess and sounds good. I think the separate IP address is
> the key to keeping MASQ off that traffic.
>
> If you try this, please let the list know if it works, as it could be
> generally useful.
>
> Paul Bort
> Systems Engineer (and guesser)
> TMW Systems, Inc.
>
>
> -----Original Message-----
> From: Tom Hudak [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 29, 2000 8:58 PM
> To: [EMAIL PROTECTED]
> Subject: Firewalls and other joyous things..
>
>
> I've been working on this firewall setup for hours now and may be a bit off
> in
> my logic.
> Server A (bender), is located outside the firewall, Server B (fry), is the
> firewall, and Server C (homer) is the backup tape server.
> tcp port range is 11080-11084
> udp port range is 850-854 (all of which are open)
> fry masqerades the internal network out to the internet, while blocking
> external traffic yada yada yada.
> I have tried "ipmasqadm portfw" combinations like forwarding the tcp and udp
> port ranges directly from bender to homer as well as using fry as a
> intermediate, like forwarding bender to fry and then fry to homer with
> configs
> like this:
> ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R homer $tcp_ports
> ^-- assume $tcp_ports is another line in the rc.firewall for each port.
> and
> ipmasqadm portfw -a -P tcp -L bender $tcp_ports -R fry $tcp_ports
> ipmasqadm portfw -a -P tcp -L fry $tcp_ports -R homer $tcp_ports
> which do not work, I have also tried setting up a chain called www-home w/
> the
> command:
> ipchains -A www-home -p tcp --dport 11080:11084 -s bender -d homer -j ACCEPT
> ipchains -A www-home -p udp --dport 850:854 -s bender -d homer -j ACCEPT
> which ALSO does not work. I do not know if a return port forward for bender
> to
> homer is required over port 10080 for amandad and cannot find much more
> information regarding the situtation of amanda through a firewall other than
> what is mentioned on the faq-o-matic. I never fail to get this error,
> ERROR: bender: [host fry.sistina.com: port 63309 not secure]
> with the port changing every time between 61000 and approx. 65000 which I
> know
> is reserved for masquerading. What exactly needs to be forwarded? what ports
> need to be opened other than the ports I've reserved? What is causing fry to
> masquerade amanda's packets back to the tape server instead of following the
> specified ports and routes? Any answers or feedback would be much
> appreciated
> as this seems to be my final step in setting up this backup scheme.
> Thanks ahead of time,
> --
> Thomas J. Hudak
> Jr. Systems Administrator
> Sistina Software Inc.
> Phone: 612.379.3951 Fax: 612.379.3952
>
--
-----------------------------------------------------------------
Dan Wilder <[EMAIL PROTECTED]> Technical Manager & Correspondent
SSC, Inc. P.O. Box 55549 Phone: 206-782-7733 x123
Seattle, WA 98155-0549 URL http://www.linuxjournal.com/
-----------------------------------------------------------------
