Kevin: Sorry about responding late to this post, I have been away from the mailing list for a while, so this may be a stale issue. Be sure and study the docs/PORT.USAGE file in the Amanda distribution for a detailed explanation of how to set up your ports.
There appears to be confusion about the use of port ranges through the firewall. Amanda needs three sets of ports opened in a firewall: UDP/10080, TCP/10082, TCP/10083 -> the well-known services that connect clients to Amanda services the UDP port Range -> a set of ports for Amanda to exchange information between the clients and the server the TCP port Range -> a set of ports to pass the backup data streams between the Amanda clients and servers During a session, the Amanda server connects to the Amanda UDP port on the client to perform an operation, the request originates from one of the UDP ports in the UDPPORTRANGE. Amanda uses this connection to send commands to the remote client and receive reports of results on the client. To perform a backup, Amanda sends the client a set of three ports in the TCPPORTRANGE that will be used for standard input, output, and error streams. Amanda uses the three ports to send/receive information with the client. The range of addresses needs to be large enough to conduct as many remote sessions as needed by the configuration going through the firewall. For my firewall, I have the following ports open: To each client: UDP 10080 - Amanda control port TCP 10082 - Amanda index service TCP 10083 - Amanda tape service UDP 880-899 - for bi-directional status data flows TCP 50000-50040 - for bi-directional backup stream flows From clients to the server: UDP 10080 - Amanda control port TCP 10082 - Amanda index service TCP 10083 - Amanda tape service UDP 880-899 - for bi-directional status data flows Return connections for each established outbound connection Since I don't control the firewall, I have to depend on rule and port listings from the Firewall group. Good communication of the contents of the docs/PORT.USAGE file from the Amanda distribution file tree is essential for the Firewall Team to be able to setup the firewall to correctly pass the Amanda data streams. Best of luck with Amanda and hopefully this will get your moving, Donald L. (Don) Ritchey Information Technology Exelon Corporation -----Original Message----- From: KEVIN ZEMBOWER [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Another 'Amanda through firewall' problem Two years ago, I wrote here about problems getting Amanda to work through a firewall using NAT which couldn't be turned-off. I finally gave up in frustration, despite the helpful advice of the folks here, and set up two separate backup systems, one inside and outside the firewall. Adding to my frustration is the fact that I don't administer the firewall, and can't verify directly that what I requested was implemented. Now, I'm trying again to back up all my host with just one Amanda system. My tapehost 'centernet' is trying to back up hosts 'admin' and 'mailinglists' in addition to itself, inside the firewall, and hosts 'www' and 'real' outside the firewall. I've read and tried to follow the advice given to others in this situation. I changed the file common-src/security.c to comment out the section where the port number is checked. I also used the script, first given here, pasted in at the end of this note, to configure Amanda on both the server and the clients. I have the new Amanda system (tapehost inside the firewall) working on all the other hosts inside the firewall, but it times out with the hosts outside the firewall. When I amcheck it, I don't get anything written in either the working or non-working clients, in either /tmp/Amanda or /tmp/Amanda-dbg. Can anyone suggest any diagnostic tools or methods that I can use to verify that the firewall is set up the way I requested? I've tried to use 'netcat' in the past to verify proper transmission through a firewall, but don't understand how I could use it in this case, as I don't know what port the firewall will NAT the request to. I'm not getting any diagnostic messages in any of the logs I've looked at, on either the host or clients. Any suggestions? Thanks for all your help and advice. -Kevin Zembower ============================================= [EMAIL PROTECTED]:~$ cat configure_amanda.sh #!/bin/sh # since I'm always forgetting to su amanda... if [ `whoami` != 'amanda' ]; then echo echo "!!!!!!!!!!!! Warning !!!!!!!!!!!!" echo "Amanda needs to be configured and built by the user amanda," echo "but must be installed by user root." echo exit 1 fi echo "!!!!!!!!!!!! Warning !!!!!!!!!!!!" echo "Did you remember to make the changes in common_src/security.c" echo "to disable the port check, to allow amanda to work through a" echo "NATted firewall like CCP's?" echo make clean rm -f config.status config.cache ../configure --with-user=amanda \ --with-group=disk \ --with-owner=amanda \ --with-tape-device=/dev/nst0 \ --prefix=/usr/local \ --with-portrange=10080,10083 \ --with-tcpportrange=10080,10083 \ --with-udpportrange=850,854 \ --with-debugging=/tmp/amanda-dbg/ \ --with-config=DBackup \ --with-smbclient=/usr/bin/smbclient \ --with-configdir=/etc/amanda [EMAIL PROTECTED]:~$ ************************************************************************ This e-mail and any of its attachments may contain Exelon Corporation proprietary information, which is privileged, confidential, or subject to copyright belonging to the Exelon Corporation family of Companies. This e-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify the sender immediately and permanently delete the original and any copy of this e-mail and any printout. Thank You. ************************************************************************