firewall config and netcat works... why dosn't amcheck?

[Tom Hudak]

Ok, using netcat I have determined that direct port->port communications exist
for all specified portranges as well as 10080 via udp as configured for
amandad.
using the commands:
homer: nc -l -p 10080
bender: nc -p 10080 -v homer.sistina.com 10080 -> cmd-in-nc amanda
to which homer's nc session prints amanda
this works both ways on ALL configured port ranges (11080-11084-tcp / 850-854-udp)
Here is my ipchains/ipmasqadm portfw rule set.

/sbin/ipchains -A input -p udp -s $HOMER 10080 -d $BENDER 10080 -j ACCEPT
/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 10080 -R $HOMER 10080
/sbin/ipchains -A output -p udp -s $FRY 10080 -d $HOMER 10080 -j ACCEPT

/sbin/ipchains -A output -p tcp --sport 11080:11084 --dport 11080:11084 -s
$FRY -d $HOMER -j ACCEPT

/usr/sbin/ipmasqadm portfw -a -P tcp -L $FRY 11080 -R $HOMER 11080
/usr/sbin/ipmasqadm portfw -a -P tcp -L $FRY 11081 -R $HOMER 11081
/usr/sbin/ipmasqadm portfw -a -P tcp -L $FRY 11082 -R $HOMER 11082
/usr/sbin/ipmasqadm portfw -a -P tcp -L $FRY 11083 -R $HOMER 11083
/usr/sbin/ipmasqadm portfw -a -P tcp -L $FRY 11084 -R $HOMER 11084

## UDP forwarding from homer to bender
/sbin/ipchains -A output -p udp --sport 850:854 --dport 850:854 -s $FRY -d
$HOMER -j ACCEPT

/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 850 -R $HOMER 850 
/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 851 -R $HOMER 851
/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 852 -R $HOMER 852
/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 853 -R $HOMER 853
/usr/sbin/ipmasqadm portfw -a -P udp -L $FRY 854 -R $HOMER 854

What other ports if any should/need to be forwarded or allowed through in
order to get amcheck to complete successfully, as I am still getting this
error.? ERROR: bender: [host fry.sistina.com: port 64865 not secure]
Could it have something to do with the placement of the rules (probably a
question for the author of ipchains)? or possibly that even though the rules
are set and the routes work, everything is still being masqueraded? Is there a
way to force no masquerading for a port or range of ports? I know these are
not questions specific to amanda itself, but this is the only issue I have yet
to deal with before a successful 2.4.2 config for ALL my boxen. Has anyone
else backed up boxen OUTSIDE of their internal lan through an ipchains/other
based firewall? Any light that could be shed on this problem is that much more
helpfull. Thanks ahead of time for any responses.
-- 
Thomas J. Hudak
Jr. Systems Administrator
Sistina Software Inc.
Phone: 612.379.3951     Fax: 612.379.3952

PGP signature