Hi Ward - Well, I'll have to defer to the Amanda developers to address the security problems, but my view on it is that by making sure the clients are secure and the firewall is very restrictive about the Amanda connections (both allowing in and out), that it's a minimal security risk. Or rather, it's worth the risk ;) Let me know if you would like further advice with the firewall setup/etc. My setup is the same as yours, though I'd guess we probably have different firewall software.
-doug -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Doug Silver Network Manager Quantified Systems, Inc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Fri, 5 Apr 2002, Ward Violanti wrote: > Hi Doug, > > If I open my firewall, is there any security concerns/vulnerabilities > that I would need to know. I understand (I think) that Amanda has security > problems, is this true or are there Amanda patches that I could get to fix > them? > > I'm running Amanda 2.4.2p2 on FreeBSD client and server. > > Thanks! > Ward. > > -----Original Message----- > From: Doug Silver [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 04, 2002 2:38 PM > To: Ward Violanti > Cc: [EMAIL PROTECTED] > Subject: Re: Amanda and Firewalls. > > > On Thu, 4 Apr 2002, Ward Violanti wrote: > > > > > Hi Amanda Users, > > > > > > I have a question, I would like to use Amanda on servers that we have > > outside our firewall. Is there anyway, to get Amanda to work without > > opening ports on the firewall? Such as using SSH or some other way, or > will > > Amanda work with only using ports open through the firewall? > > > > I have read the FAQs on the Amanda site, and I don't understand why there > > has to be a range of UDP ports open. Would it work with just using one > UDP > > port, instead of opening a range of UDP ports? Maybe someone could > explain > > how and why, and which ports I should open on the firewall. > > > > Thanks! > > Ward. > > > > While I'm sure JJ and other lurking can confirm the true details, I > believe that the clients start sending back udp packets to the server like > so (from one of my client sendbackup files): > > sendbackup: stream_server: waiting for connection: 0.0.0.0.729 > sendbackup: stream_server: waiting for connection: 0.0.0.0.730 > sendbackup: stream_server: waiting for connection: 0.0.0.0.731 > waiting for connect on 729, then 730, then 731 > sendbackup: stream_accept: connection from <firewall>.719 > sendbackup: stream_accept: connection from <firewall>.720 > sendbackup: stream_accept: connection from <firewall>.721 > got all connections > > Since ssh is a tcp connection, I don't see anyway to have Amanda use that > as the transport device because of how it was designed to use udp for > speed/etc. If you compile Amanda to restrict the tcp/udp portranges, it > won't open up anything on your firewall that the public can see, it's more > that your firewall is configured to pass such connections on to the > clients and vice-versa. > > --
