--On Monday, March 22, 2004 18:26:08 +0100 Hans van Zijst <[EMAIL PROTECTED]> wrote:
> I need some help configuring Amanda to backup a couple of hosts in our DMZ. > Been trying to get it to work for quite some time, but it just won't work. > Hosts in the trusted zone go like a charm, but no success on the DMZ hosts > so far. For some reason our firewall doesn't seem to like Amanda, which > could partially be attributed to the fact that it doesn't do stateful > inspection. I realize this question is not a hardcore Amanda thing, but > hopefully some of you can give me some hints anyway. > > We configured the firewall to allow UDP traffic from a secure port on our > Amanda server in the trusted zone to port 10080 in the DMZ. This works. But > unfortunately UDP isn't stateful, so we had to define a new set of rules to > allow the replies. What we did (or think we did) is allow UDP traffic from > port 10080 from hosts in the DMZ to secure ports on the Amanda server. > Strangely enough this sometimes works, but usually doesn't. The > reply-packets sometimes disappear, sometimes generating an ICMP > "destination unreachable", but sometimes not even that. Sometimes even the > connections initiated by the Amanda server disappear, usually never > generating ICMP messages. Whatever we try, we never get to the point where > a TCP connection is set up (I keep referring to "we" as it's not me who > administers the firewall). > > I compiled Amanda myself, restricting the ports to use to 45000-45100. So I > think it should be sufficient to punch a hole in the firewall that allows > TCP traffic from server to client within that range. Besides the --with-tcpportrange= option, you probably also need the --with-udpportrange= option as well, and open those udp ports on the firewall. See PORTS.USAGE in the docs directory. Frank > > I just hope some of you can tell me I'm wrong and I need to do something > else/more... We use Linux machines here and a commercial firewall that > doesn't do connection tracking, unfortunately. > > While I'm at it, what's the reason why the Amanda developers chose UDP for > the first stage? Is it only the overhead TCP causes? > > Thanks in advance. > > Hans > > ______________________________________________________ > > This message has been checked for all known viruses > ______________________________________________________ > De informatie verzonden met dit e-mailbericht is > uitsluitend bestemd voor de geadresseerde. > Openbaarmaking, vermenigvuldiging, verspreiding en/of > verstrekking van deze informatie aan derden is > niet toegestaan. Wij aanvaarden geen aansprakelijkheid > voor de juiste en volledige overbrenging van de inhoud > van een verzonden e-mail bericht, noch voor tijdige > ontvangst ervan. > ______________________________________________________ > > HTTP://WWW.Syncera.NL > ______________________________________________________ -- Frank Smith [EMAIL PROTECTED] Sr. Systems Administrator Voice: 512-374-4673 Hoover's Online Fax: 512-374-4501
