I'm hoping someone can give me some advice on setting up Amanda with a
firewall and Network Address Translation.
My amanda system backs up hosts both inside and outside the firewall.
The clients's inside backup fine. I've never been able to get the ones
outside to pass the "amcheck DailySet1 -c" check:
amanda@admin:~ > amcheck DailySet1 -c
Amanda Backup Client Hosts Check
--------------------------------
WARNING: external: selfcheck request timed out. Host down?
WARNING: www: selfcheck request timed out. Host down?
WARNING: real: selfcheck request timed out. Host down?
Client check: 8 hosts checked in 30.058 seconds, 3 problems found
(brought to you by Amanda 2.4.3b1)
amanda@admin:~ >
I compiled amanda, both on "admin" (inside the firewall tapeserver
host) and on "www" (outside the firewall amanda client) with this
configuration:
./configure --with-tcpportrange=10084,10100 --with-udpportrange=932,948
--with-user=amanda --with-group=disk
In my /home/amanda/.amandahosts file on admin, the tapeserver, I have:
www.jhuccp.org amanda
My /home/amanda/.amandahosts file on www is:
www:~ # cat /home/amanda/.amandahosts
162.129.225.189 amanda
www:~ #
162.129.225.189 is the IP address for the host "admin". This host's
reverse lookup doesn't resolve to a domain name outside the firewall,
just an IP address.
I've run netcat on admin on ports 932/tcp and /udp and 10100/tcp and
/udp. Here's two samples of the output on each end. In the first, www
is sending on 932/tcp:
www:~ # netcat -v 162.129.225.189 932
162.129.225.189: inverse host lookup failed: Unknown host : No such
file or directory
(UNKNOWN) [162.129.225.189] 932 (?) open
ddd
punt!
www:~ #
admin:~ # netcat -v -l -p 932
listening on [any] 932 ...
connect to [172.16.2.7] from www.jhuccp.org [162.129.225.190] 35919
ddd
admin:~ #
Notice that NAT translates the IP address which www is sending to
(162.129.225.189) outside the firewall to 162.129.225.190, which is used
inside the firewall. I don't know why this is necessary. The guy
configuring the firewall assures me that it is. This then is resolved by
a DNS reverse lookup to www.jhuccp.org. The fact that the packets
('ddd') pass okay reassures me that it is working.
In this second example of using netcat, www is listening on port
10100/tcp:
admin:~ # netcat -v www 10100
www.jhuccp.org [162.129.225.190] 10100 (?) open
fff
punt!
admin:~ #
www:~ # netcat -v -l -p 10100
listening on [any] 10100 ...
162.129.225.189: inverse host lookup failed: Unknown host : No such
file or directory
connect to [162.129.225.190] from (UNKNOWN) [162.129.225.189] 41885
fff
www:~ #
Based on this, I think the firewall's passing the traffic and the NAT
is working properly.
Anyone have any further suggestions for things I can change or other
diagnostic methods I can use to fix this?
Thank you all very much for your time and thoughts. Have a happy and
safe New Year.
-Kevin Zembower
-----
E. Kevin Zembower
Unix Administrator
Johns Hopkins University/Center for Communications Programs
111 Market Place, Suite 310
Baltimore, MD 21202
410-659-6139
