Re: Amanda clients, behind a pf firewall?

[Andrew Rucker Jones <arjones_(_at_)_simultan_(_dot_)_dyndns_(_dot_)_org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

You can build Amanda Yourself and specify certain port ranges, which is
a big win when configuring a firewall. Here are the rules i have in a
neutral format (i actually use Netfilter on that firewall):

server/src ports 702:712/udp -> clients/dst port 10080/udp

(The next rule is actually for replies from the previous rule. The
previous rule is for requests to the clients to estimate how much space
they need. Estimating that can take a while, so the entry in the
firewall's state table tends to timeout before a reply is received.)
clients/src port 10080/udp -> server/dst ports 702:712/udp

server/src ports 1024:/tcp -> clients/dst ports 1702:1712/tcp
clients/src ports any/tcp -> server/dst ports 10082:10083/tcp

The last two rules are for
1) the actual backup or restore data
2) indexing and tape services for restores

The ranges 702:712/udp and 1702:1712/tcp are the ones i chose when
compiling Amanda. If explicit ranges are not chosen at compile time, the
ranges are rather unbounded. UDP is probably restricted to being less
than 1024 (because explicitly specifying something outside of that
ranges gives an error), and TCP is restricted to being 1024 or greater
(same reason).

		-&

stan wrote:
> Can anyone tell me how what pf rules I need to allow an Amanda
> machine outised of the firewall to backup clients that are inside
> the firewall?
> 
> Curently amcheck runs fine, but I think the actuall run will
> fail. At least it did last night.
> 

- --
GPG key / Schl|ssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschl|sseln.
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDBVrgoI7tqy5bNGMRAxOMAJ4vhwF1csIHXGDBNtREda07stPj1wCg3Pnr
3iulo2tM9s6lu4tAo9eJm3w=
=SkTH
-----END PGP SIGNATURE-----