Hi Doug, If I open my firewall, is there any security concerns/vulnerabilities that I would need to know. I understand (I think) that Amanda has security problems, is this true or are there Amanda patches that I could get to fix them?
I'm running Amanda 2.4.2p2 on FreeBSD client and server. Thanks! Ward. -----Original Message----- From: Doug Silver [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 2:38 PM To: Ward Violanti Cc: [EMAIL PROTECTED] Subject: Re: Amanda and Firewalls. On Thu, 4 Apr 2002, Ward Violanti wrote: > > Hi Amanda Users, > > > I have a question, I would like to use Amanda on servers that we have > outside our firewall. Is there anyway, to get Amanda to work without > opening ports on the firewall? Such as using SSH or some other way, or will > Amanda work with only using ports open through the firewall? > > I have read the FAQs on the Amanda site, and I don't understand why there > has to be a range of UDP ports open. Would it work with just using one UDP > port, instead of opening a range of UDP ports? Maybe someone could explain > how and why, and which ports I should open on the firewall. > > Thanks! > Ward. > While I'm sure JJ and other lurking can confirm the true details, I believe that the clients start sending back udp packets to the server like so (from one of my client sendbackup files): sendbackup: stream_server: waiting for connection: 0.0.0.0.729 sendbackup: stream_server: waiting for connection: 0.0.0.0.730 sendbackup: stream_server: waiting for connection: 0.0.0.0.731 waiting for connect on 729, then 730, then 731 sendbackup: stream_accept: connection from <firewall>.719 sendbackup: stream_accept: connection from <firewall>.720 sendbackup: stream_accept: connection from <firewall>.721 got all connections Since ssh is a tcp connection, I don't see anyway to have Amanda use that as the transport device because of how it was designed to use udp for speed/etc. If you compile Amanda to restrict the tcp/udp portranges, it won't open up anything on your firewall that the public can see, it's more that your firewall is configured to pass such connections on to the clients and vice-versa. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doug Silver Network Manager Quantified Systems, Inc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
