Well, in my situation I just compiled Amanda to use a restricted portrange for both the tcp and udp connections and setup the firewall with a special NAT rule to pass packets from the amanda server to our clients unchanged. I can't help you with the Elron Commander because I'm not familiar with that; I'm using IP Filter. IP Filter typically does the same NAT portmap translation, but by preceding the rules with this one prevents the amanda packets from being changed.
Obviously your environment will probably dictate what you can and can't do in regards to your firewall rules. good luck. ;| -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doug Silver Network Manager Quantified Systems, Inc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 20 Mar 2002, Pedro Caria wrote: > yes, i solved this by patching this file security.c > > it's a dirty hack, but in my setup it doesn't worry me... > [snip] > > > On Wed, 2002-03-20 at 15:23, KEVIN ZEMBOWER wrote: > > I haven't been paying attention to this whole thread, but thought I'd > > throw my two cents in. > > > > I was never able to get amanda to work through a firewall using NAT. > > The way NAT works in the Elron Commander firewall, and most other ones, > > I think, is by arbitrarily reassigning port numbers to keep track of > > which connection on the inside corresponds to which communication on the > > outside. > > > > Example: > > Amanda on host tapehost talks to host X from port 932/UDP (I'm making > > this up from my setup). Host X responds correctly, because it was > > addressed from the proper privileged (<1024) port. > > Now, amanda on host tapehost wants to talk to host X from port 932/UDP, > > but the request gets sent to the firewall. The firewall assigns a random > > port, in the unprivileged range (>1024), let's say 10080. It records in > > it's lookup table that packets from tapehost are assigned to port 10800. > > In most applications, this would be fine, as the recipient would send > > the packets back to the firewall at port 10080, and the firewall would > > match port 10080 with tapehost and send the packet in to it. However, > > with amanda, when host X gets the packet from port 10080, it rejects it > > with an error message like "Unprivileged port" > > > > To diagnosis this, I used a combination of netcat and tcpdump, on both > > the sender and recipient. > > > > I was never able to overcome this, because the Elron firewall software > > can't not translate the port, as far as I and our Information Services > > group could tell. > > > > Since the original poster didn't mention this error message at all, > > this explanation may not relate to his problem. > > > > Sorry if this doesn't apply. If it does, and you have further > > questions, please write. > > > > -Kevin Zembower > > > > ----- > > E. Kevin Zembower > > Unix Administrator > > Johns Hopkins University/Center for Communications Programs > > 111 Market Place, Suite 310 > > Baltimore, MD 21202 > > 410-659-6139 > > >
