On Tue, Jun 26, 2007 at 10:38:33AM -0400, Zembower, Kevin enlightened us: > Kevin, thanks so much. You were right on the money. Disabling the > firewall completely allow amcheck to work correctly. > > If you have some additional patience, I could use a hand trying to > configure the firewall rules correctly on my amanda client. I tried to > follow the directions at > http://wiki.zmanda.com/index.php/How_To:Set_Up_iptables_for_Amanda to > set up this rule on tobaccodev, my amanda client. This combines the > amanda rule with the rules I set up using the firewall GUI in CentOS5 > (RHEL5): > [EMAIL PROTECTED] ~]# iptables -t filter -I INPUT 1 -p udp -m udp -s > centernet.jhuccp.org --dport 10080:10083 -j ACCEPT > [EMAIL PROTECTED] ~]# service iptables status > Table: filter > Chain INPUT (policy ACCEPT) > num target prot opt source destination > 1 ACCEPT udp -- 10.253.192.205 0.0.0.0/0 udp > dpts:10080:10083 > 2 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > > Chain FORWARD (policy ACCEPT) > num target prot opt source destination > 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 > > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > num target prot opt source destination > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp > type 255 > 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 > 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 > 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp > dpt:5353 > 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp > dpt:631 > 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:631 > 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:21 > 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:25 > 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:22 > 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:443 > 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:23 > 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state > NEW tcp dpt:80 > 15 REJECT all -- 0.0.0.0/0 0.0.0.0/0 > reject-with icmp-host-prohibited > > Here's an example of a no-error 'amcheck -c DBackup tobaccodev' from the > tapeserver: > > [EMAIL PROTECTED] ~]# tcpdump -nn src or dst centernet and port amanda > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 10:28:58.190591 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP, > length 123 > 10:28:58.210814 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP, > length 50 > 10:28:58.212936 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP, > length 87 > 10:28:58.214318 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP, > length 50 > 10:28:58.216532 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP, > length 299 > 10:28:58.223632 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP, > length 50 > 10:28:58.233581 IP 10.253.192.217.10080 > 10.253.192.205.854: UDP, > length 527 > 10:28:58.235018 IP 10.253.192.205.854 > 10.253.192.217.10080: UDP, > length 50 > > 8 packets captured > 20 packets received by filter > 0 packets dropped by kernel > [EMAIL PROTECTED] ~]# > > I had to insert the rule to allow amanda packets in _before_ the > RH-Firewall-1-INPUT rule to make it work. This tests correctly with > amcheck, but I haven't tried an actual dump yet. > > If someone with some amanda firewall rule writing experience could check > and confirm my work, I'll write an addendum to the Zmanda artile with my > example, for other CentOS and RHEL users. > > Thanks, again, Kevin, for your advice and suggestions. > > -Kevin >
On my CentOS client systems, I modify /etc/sysconfig/iptables-config to read: IPTABLES_MODULES="ip_conntrack_ftp ip_conntrack_amanda" And simply allow udp 10080 from the server (in /etc/sysconfig/iptables): -A INPUT -s 192.168.1.1 -d 192.168.1.30 -p udp -m udp --dport 10080 -j ACCEPT On the server I also allow tcp 10082 and 10083. On my bridging firewall, I modify /etc/modprobe.conf to include a longer timeout: options ip_conntrack_amanda master_timeout=2400 That works for me... Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263