OK, questions about a port through a firewall should be easily answered by the logs. What does the firewall log say about the connection attempts by the host(s) in question? Even my $300 Sonicwall can answer this question.
Dana Bourgeois > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jason Lavigne > Sent: Tuesday, November 04, 2003 3:11 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: What ports does Amanda use? > > > All servers are in my /28 block (the one in question is .27), > > Well my ipfilter rules say: > > # amanda tape backup (tcp/udp:10080, 10082, > 10083)(tcp:50000-500040,udp:890-899) > pass out quick on dc1 proto tcp from any to 216.138.226.16/28 > port = 10080 flags S keep state group 20 pass out quick on > dc1 proto tcp from any to 216.138.226.16/28 port = 10082 > flags S keep state group 20 pass out quick on dc1 proto tcp > from any to 216.138.226.16/28 port = 10083 flags S keep state > group 20 pass out quick on dc1 proto udp from any to > 216.138.226.16/28 port = 10080 keep state group 20 pass out > quick on dc1 proto udp from any to 216.138.226.16/28 port = > 10082 keep state group 20 pass out quick on dc1 proto udp > from any to 216.138.226.16/28 port = 10083 keep state group > 20 pass out quick on dc1 proto tcp from any to > 216.138.226.16/28 port 49999 > >< 50041 flags S keep state group 20 > pass out quick on dc1 proto udp from any to 216.138.226.16/28 port 889 > >< 900 keep state group 20 > > # amanda tape backup (tcp/udp:10080, 10082, > 10083)(tcp:50000-500040,udp:890-899) > pass in quick on dc1 proto tcp from 216.138.226.16/28 to any > port = 10080 flags S keep state group 30 pass in quick on dc1 > proto tcp from 216.138.226.16/28 to any port = 10082 flags S > keep state group 30 pass in quick on dc1 proto tcp from > 216.138.226.16/28 to any port = 10083 flags S keep state > group 30 pass in quick on dc1 proto udp from > 216.138.226.16/28 to any port = 10080 keep state group 30 > pass in quick on dc1 proto udp from 216.138.226.16/28 to any > port = 10082 keep state group 30 pass in quick on dc1 proto > udp from 216.138.226.16/28 to any port = 10083 keep state > group 30 pass in quick on dc1 proto tcp from > 216.138.226.16/28 to any port 49999 > >< 50041 flags S keep state group 30 > pass in quick on dc1 proto udp from 216.138.226.16/28 to any > port 889 >< 900 keep state group 30 > > with the rules off, all 7 servers work, with the rules on all > but one work. I have installed a new client with the port > ranges set (as noted in the rules) and I am seeing the same > thing, here is the amstats > output: > > samba# su amanda -c 'amstatus Daily' > Using /var/amanda/Daily/logs/amdump from Tue Nov 4 18:02:29 EST 2003 > > cvs.bwlogic.com:/etc 0 1150k estimate done > cvs.bwlogic.com:/var/cvs 0 180020k estimate done > cvs.bwlogic.com:/var/log 0 1430k estimate done > dns1.bwlogic.com:/etc getting estimate > dns1.bwlogic.com:/usr/local/vpopmail getting estimate > dns1.bwlogic.com:/usr/local/www getting estimate > dns1.bwlogic.com:/var/log getting estimate > dns2.bwlogic.com:/etc 0 1190k estimate done > dns2.bwlogic.com:/var/log 0 10220k estimate done > fw.bwlogic.com:/etc 0 1510k estimate done > fw.bwlogic.com:/var/log 0 230k estimate done > mysql.bwlogic.com:/dbdata 0 25460k estimate done > mysql.bwlogic.com:/etc 0 1380k estimate done > mysql.bwlogic.com:/var/log 0 4750k estimate done > samba.bwlogic.com:/backup/bwlogic 0 4661460k estimate done > samba.bwlogic.com:/backup/storage 0 40k estimate done > samba.bwlogic.com:/db 0 10k estimate done > samba.bwlogic.com:/etc 0 1160k estimate done > samba.bwlogic.com:/var/log 0 470k estimate done > samba.bwlogic.com:/web 0 672810k estimate done > www1.bwlogic.com:/etc 0 1380k estimate done > www1.bwlogic.com:/usr/local/www 0 411780k estimate done > www1.bwlogic.com:/var/log 0 430k estimate done > www2.bwlogic.com:/etc 0 1380k estimate done > www2.bwlogic.com:/usr/local/www 0 257680k estimate done > www2.bwlogic.com:/var/log 0 930k estimate done > > SUMMARY part real estimated > size size > partition : 26 > estimated : 22 6236870k > flush : 0 0k > failed : 0 0k ( 0.00%) > wait for dumping: 0 0k ( 0.00%) > dumping to tape : 0 0k ( 0.00%) > dumping : 0 0k 0k ( 0.00%) ( 0.00%) > dumped : 0 0k 0k ( 0.00%) ( 0.00%) > wait for writing: 0 0k 0k ( 0.00%) ( 0.00%) > wait to flush : 0 0k 0k (100.00%) ( 0.00%) > writing to tape : 0 0k 0k ( 0.00%) ( 0.00%) > failed to tape : 0 0k 0k ( 0.00%) ( 0.00%) > taped : 0 0k 0k ( 0.00%) ( 0.00%) > all dumpers active > taper idle > > dns1 stays at "getting estimate" for like 2 hours, then it > times out and the backup runs. This is so odd, the second odd > thing to happen with this server so rebuilding from scratch > might actually be an option. > > Thanks for your time and reading my lengthy email, any help > you can provide would go to good use. > > TIA > > Jay > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, November 04, 2003 5:29 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: What ports does Amanda use? > > Make sure you rebuild both client and server, since the > server is the one that initiates the connection to the > client. Its choice of ports must match the ones that the > client expects to see. > > In general, I have found that I must make sure that both ends > of an Amanda connection are configured consistently to have > successful connections. > > You might want to set up a separate test configuration that > uses the version of Amanda with the port range options set. > This will allow you to verify that the selected port ranges > work for your firewall/server/client combination without > affecting your other servers (which are sill working > correctly). Once your experimentation is complete, then you > can merge the two configurations. > > Another avenue of exploration: > > Check to see that your firewall has all seven servers in the > same rule set (it sounds to me like the last server is being > treated differently, possibly because it is on a different > subnet, belongs to a different department, is in a different > risk class, etc.). If the rules are different for the > seventh server, then a simple rule modification on the > firewall to permit Amanda connections may resolve the entire > issue without rebuilding Amanda. > > Hopefully one or more of these suggestions helps. > > Don > > Donald L. (Don) Ritchey > E-mail: [EMAIL PROTECTED] > > > -----Original Message----- > From: Jason Lavigne [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 04, 2003 3:34 PM > To: 'Joshua Baker-LePain' > Cc: [EMAIL PROTECTED] > Subject: RE: What ports does Amanda use? > > > Should I be using > > ./configure --with-tcpportrange=50000,50040 > --with-udpportrange=890,899 > > on the client, server or both? > > I am still confused why 6 out of 7 servers in my DMZ (behind > a firewall) work as-is, it is just one server that is giving > me a headache. I know it is a firewall related issue cause if > I turn off the firewall the Amanda dump works fine on all 7 > servers, but with it on one server fails to connect. I am > rebuilding the client first with the --with-tcp* and > --wint-udp* options to see if this works. > > My Amanda server in on my private LAN connecting in to the DMZ. > > Jay > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Joshua > Baker-LePain > Sent: Tuesday, November 04, 2003 3:56 PM > To: Jason Lavigne > Cc: [EMAIL PROTECTED] > Subject: Re: What ports does Amanda use? > > On Tue, 4 Nov 2003 at 1:47pm, Jason Lavigne wrote > > > Is it just tcp 10080 - 10083? > > Read docs/PORT.USAGE. It's udp 10080 and any unpriviledged tcp ports > (well, 3 at a time). > > -- > Joshua Baker-LePain > Department of Biomedical Engineering > Duke University > > > ************************************************************** > ********** > This e-mail and any of its attachments may contain Exelon > Corporation proprietary information, which is privileged, > confidential, or subject > to copyright belonging to the Exelon Corporation family of Companies. > This e-mail is intended solely for the use of the individual > or entity > to which it is addressed. If you are not the intended > recipient of this > > e-mail, you are hereby notified that any dissemination, distribution, > copying, or action taken in relation to the contents of and > attachments > to this e-mail is strictly prohibited and may be unlawful. > If you have > received this e-mail in error, please notify the sender > immediately and > permanently delete the original and any copy of this e-mail and any > printout. Thank You. > ************************************************************** > ********** > >
