Backup Central

Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out

Any help

--

Regards,

Kaushal Shriyan

Technical Engineer
Red Hat India Pvt. Ltd.
Tel : +91-22-22881326/27
Fax : +91-22-22881318

There is an excellent how-to about this in the Amanda Faq-O-Matic :

http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139

HTH


Bert De Ridder

PeopleWare NV - Head Office
Cdt.Weynsstraat 85
B-2660 Hoboken
Tel: +32 3 448.33.38
Fax: +32 3 448.32.66

PeopleWare NV - Branch Office Geel
Kleinhoefstraat 5
B-2440 Geel
Tel: +32 14 57.00.90
Fax: +32 14 58.13.25

[url=Verdana]http://www.peopleware.be[/url]
[url=Verdana]http://www.mobileware.be[/url]


Kaushal Shriyan <kshriyan < at > redhat.com>
Sent by: owner-amanda-users < at > amanda.org
13/07/2004 06:48 To
amanda-users < at > amanda.org cc
Subject
Amanda Through firewall




Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out

Any help

--

Regards,

Kaushal Shriyan

Technical Engineer
Red Hat India Pvt. Ltd.
Tel : +91-22-22881326/27
Fax : +91-22-22881318

Kaushal Shriyan wrote:

Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out

The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .


If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda".

Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/amanda-users < at > amanda.org/msg26094.html
I've not yet verified this.


Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.

I commented out this block in common-src/security.c

230 /* next, make sure the remote port is a "reserved" one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */

It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.

With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)


--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens < at > xplanation.com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************

On Tuesday 13 July 2004 00:48, Kaushal Shriyan wrote:
Can I allow amanda backup server to talk through firewall for
accessing amanda client host, Is there any way out

Any help

You'll have to open up some high numbered ports. I think its in the
docs as to which ones, and which protocol.

I really should let those who are doing it answer these questions, my
whole system is behind a firewall, so the machines don't have to
worry about that, leaving me inexperienced at advising..

--
Cheers, Gene
There are 4 boxes to be used in defense of liberty.
Soap, ballot, jury, and ammo.
Please use in that order, starting now. -Ed Howdershelt, Author
Additions to this message made by Gene Heskett are Copyright 2004,
Maurice E. Heskett, all rights reserved.

Paul Bijnens wrote:
Kaushal Shriyan wrote:

Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out


The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .


If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda".

Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/amanda-users < at > amanda.org/msg26094.html
I've not yet verified this.

Just a quick note here.. the actual change that broke it were between
2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the
amanda nat modules.

/Andreas

Following up on myself...


Paul Bijnens wrote:

Personnally I use a third option (until I get my firewall upgraded
to use the amanda netfilter modules). My firewall does simple
connection tracking and NAT.

I commented out this block in common-src/security.c

230 /* next, make sure the remote port is a "reserved" one */
231 /* Avoid trouble with NAT changing reserved ports in random ports
232 if(ntohs(addr->sin_port) >= IPPORT_RESERVED) {
233 ap_snprintf(number, sizeof(number), "%d",
ntohs(addr->sin_port));
234 *errstr = vstralloc("[",
235 "host ", remotehost, ": ",
236 "port ", number, " not secure",
237 "]", NULL);
238 amfree(remotehost);
239 return 0;
240 }
241 */

It's because of NAT that ports below 1024 get translated to some
arbitrary high number. The security of this check is marginal in
these times when everyone can be root and use reserved ports on his
hackerbox.

With this setup, I only have to open ports from my amandaserver to
the DMZ-hosts. All the rest is taken care of by the normal connection
tracking. (Correct me, if I missed something.)

Using the standard ip_conntrack module, you have to live with the
standard rather short UDP connection tracking timeout (5 minutes I believe).
For amanda this means that all the estimates must be finished within
that timeframe.

When using the netfilter "ip_conntrack_amanda master_timeout=3600"
you can increase this timeout as you please.


--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens < at > xplanation.com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************

Paul Bijnens wrote:


Following up on myself...

Again :-)


Paul Bijnens wrote:

Using the standard ip_conntrack module, you have to live with the
standard rather short UDP connection tracking timeout (5 minutes I
believe).

It is 3 minutes.
From /usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_udp.c :

#define UDP_TIMEOUT (30*HZ)
#define UDP_STREAM_TIMEOUT (180*HZ)

The first is for unreplied UDP packets, the second for UDP packets
that did get a reply (yes, amanda ACK's the request for estimate
before starting the estimate itself).


--
Paul Bijnens, Xplanation Tel +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512
http://www.xplanation.com/ email: Paul.Bijnens < at > xplanation.com
***********************************************************************
* I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, *
* PF4, F20, ^X^X, :, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, *
* kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ... "Are you sure?" ... YES ... Phew ... I'm out *
***********************************************************************

Andreas Sundstrom wrote:
Paul Bijnens wrote:

Kaushal Shriyan wrote:

Can I allow amanda backup server to talk through firewall for accessing
amanda client host, Is there any way out



The general answer is to recompile amanda with a dedicated portrange
and open those ports in the firewall. See the explanation in
docs/PORT.USAGE .


If the firewall is running Linux, it could be as easy as loading the
amanda netfilter modules "ip_conntrack_amanda" and maybe "ip_nat_amanda".

Beware of 2.6.6rc2 kernel that are reported to give some trouble:
http://www.mail-archive.com/amanda-users < at > amanda.org/msg26094.html
I've not yet verified this.


Just a quick note here.. the actual change that broke it were between
2.6.6-rc1 and 2.6.6-rc2. 2.6.7 still mess things up for me if I load the
amanda nat modules.

It seems this might be fixed now, I noticed that some changes were commited
to 2.6.8-rc1 regarding the amanda conntrack stuff. So i searched the devel
archives for netfilter and came up with this.

http://lists.netfilter.org/pipermail/netfilter-devel/2004-June/015806.html

Haven't tried it but I think that it fixes the problem introduced between
2.6.6-rc1 and 2.6.6-rc2.

/Andreas