Does anybody have an example of rules to allow an amanda backup server
to access the firewall (amanda-client)?
I have the following in my rules:
# Amanda - backups
ACCEPT loc:146.232.128.185 fw tcp 10080
ACCEPT loc:146.232.128.185 fw tcp 10081
ACCEPT loc:146.232.128.185 fw tcp 10082
ACCEPT loc:146.232.128.185 fw udp 10080
ACCEPT loc:146.232.128.185 fw udp 10081
ACCEPT loc:146.232.128.185 fw udp 10082
ACCEPT fw loc:146.232.128.185 tcp 10080
ACCEPT fw loc:146.232.128.185 udp 10080
ACCEPT fw loc:146.232.128.185 tcp 10081
ACCEPT fw loc:146.232.128.185 udp 10081
ACCEPT fw loc:146.232.128.185 tcp 10082
ACCEPT fw loc:146.232.128.185 udp 10082
ACCEPT fw loc:146.232.128.185 udp 838
ACCEPT fw loc:146.232.128.185 udp 856
The last two lines were added after I saw in the logs that the amanda
server was denied access on those ports. But today other ports were
added in the logs (I have removed duplicate port-entries):
Jun 14 16:47:52 mail3 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=146.232.128.106 DST=146.232.128.185 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=10080 DPT=577 LEN=58
Jun 15 07:11:00 mail3 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=146.232.128.106 DST=146.232.128.185 LEN=468 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=10080 DPT=957 LEN=448
Jun 15 07:30:00 mail3 kernel: Shorewall:all2all:REJECT:IN= OUT=eth1
SRC=146.232.128.106 DST=146.232.128.185 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=10080 DPT=605 LEN=58
Regards
Johann
--
Johann Spies Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch
"Cease from anger, and forsake wrath; do not fret-
it leads only to evil." Psalms 37:8
Check this out.. http://berdmann.dyndns.org/doc/amanda/PORT.USAGE Scroll down to "Firewalls and NAT" section. HTH''s, Joshua Banks
----- Original Message ----- From: "Joshua Banks" And ofcourse have Amanda support selected in the Kernel will help. :D> Check this out.. http://berdmann.dyndns.org/doc/amanda/PORT.USAGE > > Scroll down to "Firewalls and NAT" section. > > HTH''s, > > Joshua Banks > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Joshua Banks wrote:> ----- Original Message ----- > From: "Joshua Banks" > > And ofcourse have Amanda support selected in the Kernel will help. :DMost distribution''s kernels include Amanda support built as a module. That support can be enabled by adding the following lines to /etc/shorewall/modules: loadmodule ip_conntrack_amanda loadmodule ip_nat_amanda -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>Tom Eastep wrote: > Most distribution''s kernels include Amanda support built as a module. > That support can be enabled by adding the following lines to > /etc/shorewall/modules: > > loadmodule ip_conntrack_amanda > loadmodule ip_nat_amandaThat''s one of the reasons I switched from ManDrake to Gentoo. It seemed as though everything was turned on by default if you wanted to run servers or a firewall/router in the initial setup. Just my 2cents. Joshua Banks
On Tue, Jun 15, 2004 at 06:51:40AM -0700, Tom Eastep wrote:> Most distribution''s kernels include Amanda support built as a module. > That support can be enabled by adding the following lines to > /etc/shorewall/modules: > > loadmodule ip_conntrack_amanda > loadmodule ip_nat_amandaThanks. I did install those modules, but the same problem persists. Yesterday was a public holiday in South Africa so I did not experiment further. I have now Module Size Used by Not tainted ip_nat_amanda 1184 0 (unused) ip_conntrack_amanda 1504 1 ipt_TOS 1120 12 (autoclean) ipt_LOG 3360 8 (autoclean) ipt_state 608 62 (autoclean) ip_nat_irc 2464 0 (unused) ip_nat_ftp 3136 0 (unused) ip_conntrack_irc 3200 1 [ip_nat_irc] ip_conntrack_ftp 3936 1 [ip_nat_ftp] ipt_conntrack 1120 31 (autoclean) iptable_mangle 2272 1 (autoclean) iptable_nat 17556 4 (autoclean) [ip_nat_amanda ip_nat_irc ip_nat_ftp] ip_conntrack 21940 3 (autoclean) [ip_nat_amanda ip_conntrack_amanda ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat] I am not sure how this influence the rules for amanda... I have read the document Joshua was referring to but that did not help me to get a solution - it just helped me to realise the solution is probably not very simple. To do what it suggests would probably require of me to recompile the amanda server which is elsewhere on the network. I would like to prevent that. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Many are the afflictions of the righteous; but the LORD delivereth him out of them all." Psalms 34:19
Johann Spies wrote:> On Tue, Jun 15, 2004 at 06:51:40AM -0700, Tom Eastep wrote: > > >>Most distribution''s kernels include Amanda support built as a module. >>That support can be enabled by adding the following lines to >>/etc/shorewall/modules: >> >>loadmodule ip_conntrack_amanda >>loadmodule ip_nat_amanda > > > Thanks. I did install those modules, but the same problem persists. > Yesterday was a public holiday in South Africa so I did not experiment > further.> I have read the document Joshua was referring to but that did not help > me to get a solution - it just helped me to realise the solution is > probably not very simple. To do what it suggests would probably > require of me to recompile the amanda server which is elsewhere on the > network. I would like to prevent that.I have no experience with the Amanda helper modules so I can''t advise you from experience. If you just want to get it working though, you can always brute force a solution: ACCEPT fw loc:<amanda server IP> all ACCEPT loc:<amanda server IP> fw all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> ... >> >>> Most distribution''s kernels include Amanda support built as a module. >>> That support can be enabled by adding the following lines to >>> /etc/shorewall/modules: >>> >>> loadmodule ip_conntrack_amanda >>> loadmodule ip_nat_amanda >> >> ... > > I have no experience with the Amanda helper modules so I can''t advise > you from experience. If you just want to get it working though, you can > always brute force a solution: > > ACCEPT fw loc:<amanda server IP> all > ACCEPT loc:<amanda server IP> fw allI''m backing up using just this rule and the above kernel modules: ACCEPT backup fw udp 10080 I haven''t tested my restore yet. :-) -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
On Mon, Jun 21, 2004 at 07:56:08AM +1000, Paul Gear wrote:> Tom Eastep wrote: > > ... > > > > ACCEPT fw loc:<amanda server IP> all > > ACCEPT loc:<amanda server IP> fw all > > I''m backing up using just this rule and the above kernel modules: > > ACCEPT backup fw udp 10080 > > I haven''t tested my restore yet. :-) >Thanks for your help. As my efforts accumulated, I have now: # Amanda - backups ACCEPT loc:<ip> fw tcp 10080 ACCEPT loc:<ip> fw tcp 10081 ACCEPT loc:<ip> fw tcp 10082 ACCEPT loc:<ip> fw udp 10080 ACCEPT loc:<ip> fw udp 10081 ACCEPT loc:<ip> fw udp 10082 ACCEPT fw loc:<ip> tcp 10080 ACCEPT fw loc:<ip> udp 10080 ACCEPT fw loc:<ip> tcp 10081 ACCEPT fw loc:<ip> udp 10081 ACCEPT fw loc:<ip> tcp 10082 ACCEPT fw loc:<ip> udp 10082 ACCEPT fw loc:<ip> udp 500:1024 10080 and it works. I will probably later experiment by taking away some of the rules. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Honour thy father and mother; which is the first commandment with promise; That it may be well with thee, and thou mayest live long on the earth." Ephesians 6:2,3
Johann Spies wrote:> ... > As my efforts accumulated, I have now: > > # Amanda - backups > ACCEPT loc:<ip> fw tcp 10080 > ACCEPT loc:<ip> fw tcp 10081 > ACCEPT loc:<ip> fw tcp 10082 > ACCEPT loc:<ip> fw udp 10080 > ACCEPT loc:<ip> fw udp 10081 > ACCEPT loc:<ip> fw udp 10082 > ACCEPT fw loc:<ip> tcp 10080 > ACCEPT fw loc:<ip> udp 10080 > ACCEPT fw loc:<ip> tcp 10081 > ACCEPT fw loc:<ip> udp 10081 > ACCEPT fw loc:<ip> tcp 10082 > ACCEPT fw loc:<ip> udp 10082 > ACCEPT fw loc:<ip> udp 500:1024 10080 > > and it works. > > I will probably later experiment by taking away some of the rules.Start with the last one. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> Johann Spies wrote: > >>... >>As my efforts accumulated, I have now: >> >># Amanda - backups >>ACCEPT loc:<ip> fw tcp 10080 >>ACCEPT loc:<ip> fw tcp 10081 >>ACCEPT loc:<ip> fw tcp 10082 >>ACCEPT loc:<ip> fw udp 10080 >>ACCEPT loc:<ip> fw udp 10081 >>ACCEPT loc:<ip> fw udp 10082 >>ACCEPT fw loc:<ip> tcp 10080 >>ACCEPT fw loc:<ip> udp 10080 >>ACCEPT fw loc:<ip> tcp 10081 >>ACCEPT fw loc:<ip> udp 10081 >>ACCEPT fw loc:<ip> tcp 10082 >>ACCEPT fw loc:<ip> udp 10082 >>ACCEPT fw loc:<ip> udp 500:1024 10080 >> >>and it works. >> >>I will probably later experiment by taking away some of the rules. > > > Start with the last one. >And the others can be compressed into four rules: ACCEPT loc:<ip> fw udp 10080:10082 ACCEPT loc:<ip> fw tcp 10080:10082 ACCEPT fw loc:<ip> udp 10080:10082 ACCEPT fw loc:<ip> tcp 10080:10082 Probably still overkill but may not be worth fooling with... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, Jun 29, 2004 at 06:47:25AM -0700, Tom Eastep wrote:> Paul Gear wrote:> >>I will probably later experiment by taking away some of the rules. > > > > > >Start with the last one. > >> And the others can be compressed into four rules: > > ACCEPT loc:<ip> fw udp 10080:10082 > ACCEPT loc:<ip> fw tcp 10080:10082 > ACCEPT fw loc:<ip> udp 10080:10082 > ACCEPT fw loc:<ip> tcp 10080:10082 > > Probably still overkill but may not be worth fooling with...Thanks for your help, Tom and Paul. Paul, in the end I am using just the one rule that you suggested (also without a restore done so far): ACCEPT loc:<ip> fw udp 10080 And it is working well for the backups. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "Delight thyself also in the LORD; and he shall give thee the desires of thine heart." Psalms 37:4
Johann Spies wrote:> ... >>And the others can be compressed into four rules: >> >>ACCEPT loc:<ip> fw udp 10080:10082 >>ACCEPT loc:<ip> fw tcp 10080:10082 >>ACCEPT fw loc:<ip> udp 10080:10082 >>ACCEPT fw loc:<ip> tcp 10080:10082 >> >>Probably still overkill but may not be worth fooling with... > > > Thanks for your help, Tom and Paul. > > Paul, in the end I am using just the one rule > that you suggested (also without a restore done so far): > > ACCEPT loc:<ip> fw udp 10080 > > And it is working well for the backups.Good to hear. Did you find the /etc/shorewall/modules file where you can specify the following? loadmodule ip_conntrack_amanda loadmodule ip_nat_amanda -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
On Wed, Jul 14, 2004 at 12:15:44PM +1000, Paul Gear wrote:> Good to hear. Did you find the /etc/shorewall/modules file where you > can specify the following? > > loadmodule ip_conntrack_amanda > loadmodule ip_nat_amanda >No, I have not noticed that before. Thanks for the tip. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "God is faithful, by whom ye were called unto the fellowship of his Son Jesus Christ our Lord." I Corinthians 1:9