Backup Central

Gentlemen (and Ladies,) I'm confused.

After perusing the list archives, Googling, etc., I'm still not clear on
what's necessary to establish a backup across a firewall and/or to
debug the process.

My firewall presently allow unfiltered egress from the Trusted segment
(where the server lives) to the DMZ (where the subject client lives.)
The literature suggests (to me) that the only communication initiated by
the client is UDP and can be controlled with (from my .configure):

--with-udpportrange=850,859

I've modified the firewall ruleset to allow the client to send udp
packets through ports 850-859, but I'm still getting timeouts along the
lines of:

FAILURE AND STRANGE DUMP SUMMARY:
persephone /dev/md/rdsk/d3 lev 0 FAILED [Estimate timeout from
persephone]
persephone /dev/md/rdsk/d2 lev 0 FAILED [Estimate timeout from
persephone]
persephone /dev/md/rdsk/d0 lev 0 FAILED [Estimate timeout from
persephone]

The amandad.debug files on the client (persephone) don't give me any
insights.

What am I missing? Thanks all,

-john

On Sat, Jun 05, 2004 at 11:21:43AM -0700, John Bossert wrote:
Gentlemen (and Ladies,) I'm confused.

After perusing the list archives, Googling, etc., I'm still not clear on
what's necessary to establish a backup across a firewall and/or to
debug the process.

My firewall presently allow unfiltered egress from the Trusted segment
(where the server lives) to the DMZ (where the subject client lives.)
The literature suggests (to me) that the only communication initiated by
the client is UDP and can be controlled with (from my .configure):

--with-udpportrange=850,859


i've never done this and am unsure of my answer,
so i'm mailing off-list.

amanda needs some ports available for the initial contact.
these need to be in the special range below 1024 and i think
they need to be udp.

this part you have done.
(note, it must be on client and server i think)

but after the initial contact and authentication,
amanda also needs tcp ports in the non-special range.
that is where the backup travels.
so you will have to also open up those firewall ports
and configure with them.

--
Jon H. LaBadie jon < at > jgcomp.com
JG Computing
4455 Province Line Road (609) 252-0159
Princeton, NJ 08540-4322 (609) 683-7220 (fax)

On Sat, Jun 05, 2004 at 03:03:21PM -0400, Jon LaBadie wrote:
On Sat, Jun 05, 2004 at 11:21:43AM -0700, John Bossert wrote:
Gentlemen (and Ladies,) I'm confused.

After perusing the list archives, Googling, etc., I'm still not clear on
what's necessary to establish a backup across a firewall and/or to
debug the process.

My firewall presently allow unfiltered egress from the Trusted segment
(where the server lives) to the DMZ (where the subject client lives.)
The literature suggests (to me) that the only communication initiated by
the client is UDP and can be controlled with (from my .configure):

--with-udpportrange=850,859


i've never done this and am unsure of my answer,
so i'm mailing off-list.


Whoops, hit the wrong key.

If any of the info is inaccurate,
please someone correct it for the list.


amanda needs some ports available for the initial contact.
these need to be in the special range below 1024 and i think
they need to be udp.

this part you have done.
(note, it must be on client and server i think)

but after the initial contact and authentication,
amanda also needs tcp ports in the non-special range.
that is where the backup travels.
so you will have to also open up those firewall ports
and configure with them.

--
Jon H. LaBadie jon < at > jgcomp.com
JG Computing
4455 Province Line Road (609) 252-0159
Princeton, NJ 08540-4322 (609) 683-7220 (fax)

End of included message <<<

--
Jon H. LaBadie jon < at > jgcomp.com
JG Computing
4455 Province Line Road (609) 252-0159
Princeton, NJ 08540-4322 (609) 683-7220 (fax)

Thanks for the note, Jon.

I am looking for specifics from someone who's done this, with specifics
for --with-udpportrange, and --with-portrange (and --with-tcpportrange
if necessary.) Also, if this necessitates a corresponding change in
/etc/services?

If I add "--with-tcpportrange=850,859" or "--with-portrange=850-859",
configure complains with:

configure: WARNING: *** the TCP port range should be 1024 or greater in
--with-tcpportrange

So, does this imply that one (or both) of these parameters need to be
set to a non-privileged range and (at least) TWO separate ranges opened
on the firewall?

Thanks,

Jon LaBadie wrote:

On Sat, Jun 05, 2004 at 11:21:43AM -0700, John Bossert wrote:

Gentlemen (and Ladies,) I'm confused.

After perusing the list archives, Googling, etc., I'm still not clear on
what's necessary to establish a backup across a firewall and/or to
debug the process.

My firewall presently allow unfiltered egress from the Trusted segment
(where the server lives) to the DMZ (where the subject client lives.)
The literature suggests (to me) that the only communication initiated by
the client is UDP and can be controlled with (from my .configure):

--with-udpportrange=850,859



i've never done this and am unsure of my answer,
so i'm mailing off-list.

amanda needs some ports available for the initial contact.
these need to be in the special range below 1024 and i think
they need to be udp.

this part you have done.
(note, it must be on client and server i think)

but after the initial contact and authentication,
amanda also needs tcp ports in the non-special range.
that is where the backup travels.
so you will have to also open up those firewall ports
and configure with them.


--
John BOSSERT
Affidian Corporation
jbossert < at > affidian.com
office: 206.388.0219

La thiorie, c'est quand on sait tout et que rien ne fonctionne.
La pratique, c'est quand tout fonctionne et que personne ne sait pourquoi.
Ici, nous avons riuni thiorie et pratique : Rien ne fonctionne... et
personne ne sait pourquoi!
[Einstein]

--On Saturday, June 05, 2004 17:13:34 -0700 John Bossert <jbossert < at > affidian.com> wrote:

Thanks for the note, Jon.

I am looking for specifics from someone who's done this, with specifics for --with-udpportrange, and --with-portrange (and --with-tcpportrange if necessary.) Also, if this necessitates a corresponding change in /etc/services?

If I add "--with-tcpportrange=850,859" or "--with-portrange=850-859", configure complains with:

configure: WARNING: *** the TCP port range should be 1024 or greater in --with-tcpportrange

So, does this imply that one (or both) of these parameters need to be set to a non-privileged range and (at least) TWO separate ranges opened on the firewall?

I'm using Amanda to back up some servers through a firewall. I configured
Amanda with --with-tcpportrange=40000,40030 --with-udpportrange=920,940.
Nothing magic about those ports, they just didn't seem likely to be in
use here. The tcp ports need to be > 1024 and the udp ports < 1024.
Somewhere in docs/PORT.USAGE it has some guidelines on how big the range
needs to be based on the number of clients backed up in parallel.
My firewall rules allow those ports between the clients and server, and also
allow udp 10080.

/etc/services needs to remain as-is.

If your firewall is running netfilter (iptables) on a recent Linux kernel
you can just compile it with Amanda support and not have to worry about
compiling Amanda with special portranges.

Watching the firewall logs while attempting a backup should show you
if there's a firewall problem, although I realize that if it's not
under your control it can be difficult to get access to the logs.

Frank



Thanks,

Jon LaBadie wrote:

On Sat, Jun 05, 2004 at 11:21:43AM -0700, John Bossert wrote:

Gentlemen (and Ladies,) I'm confused.

After perusing the list archives, Googling, etc., I'm still not clear on
what's necessary to establish a backup across a firewall and/or to
debug the process.

My firewall presently allow unfiltered egress from the Trusted segment
(where the server lives) to the DMZ (where the subject client lives.)
The literature suggests (to me) that the only communication initiated by
the client is UDP and can be controlled with (from my .configure):

--with-udpportrange=850,859



i've never done this and am unsure of my answer,
so i'm mailing off-list.

amanda needs some ports available for the initial contact.
these need to be in the special range below 1024 and i think
they need to be udp.

this part you have done.
(note, it must be on client and server i think)

but after the initial contact and authentication,
amanda also needs tcp ports in the non-special range.
that is where the backup travels.
so you will have to also open up those firewall ports
and configure with them.


--
John BOSSERT
Affidian Corporation
jbossert < at > affidian.com
office: 206.388.0219

La thiorie, c'est quand on sait tout et que rien ne fonctionne.
La pratique, c'est quand tout fonctionne et que personne ne sait pourquoi.
Ici, nous avons riuni thiorie et pratique : Rien ne fonctionne... et personne ne sait pourquoi!
[Einstein]