On Mon, 26 Nov 2001 at 6:48am, Joshua Baker-LePain wrote > ipchains on the server is blocking the selfcheck responses from the > clients. I had this same issue, but I didn't investigate it too much. I > fixed it by simply opening up the server to all UDP traffic from each > client, as in (in /etc/sysconfig/ipchains); > > -A input -p udp -s $CLIENT_IP_ADDRESS -d $SERVER_IP_ADDRESS -j ACCEPT > > But now you got me curious, so I fired up tcpdump. The response packets > come back on random, privileged (i.e. < 1024) ports. That is, the > requests go to 10080 on the clients, and the responses come back from > 10080 on the clients, but they go to a port lower than 1024 on the server. > So a line as above is only a little bit of overkill -- you could get away > with "just" opening up the privileged ports.
Responding to myself here, you can be more paranoid by only accepting packets from the amanda port on the client: -A input -p udp -s $CLIENT_IP_ADDRESS 10080 -d $SERVER_IP_ADDRESS -j ACCEPT This passes amcheck, but I'm not sure about amdump (yet, we'll see tonight) or amrecover. YMMV, and tcpdump/ethereal are your friends. -- Joshua Baker-LePain Department of Biomedical Engineering Duke University
