Re: amanda backup

To: debian-isp@lists.debian.org
Subject: Re: amanda backup
From: jernej horvat <j@aufbix.org>
Date: Tue, 17 Dec 2002 11:02:49 +0100
Message-id: <[🔎] 20021217100249.C66781613EE@vis.moj.net>
In-reply-to: <[🔎] 87pts1ht5q.fsf@perdita.strul.nu>
References: <[🔎] 200212161736.25727.russell@coker.com.au> <[🔎] 20021217082401.GB1488@tv.stonesoft.com> <[🔎] 87pts1ht5q.fsf@perdita.strul.nu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 17 December 2002 10:49, Torbjorn Pettersson wrote:

>  I haven't looked into how well it is implemented, so I can't
> really say anything about it, but it is possible to compile it
> to use kerberos authentication.

I don't think authentication is THE problem. 

Here is a quote:
"
Running an Amanda server from behind a firewall, to clients outside it, can 
be a bit tricky.

Amanda uses quite a few ports for communications. The general sequence is:

1) The server makes a start backup request on port 10080 to the client.
2) The client forks an amandad process, which then attempts to contact the 
server on a random udp port.
3) The server opens 2 or 3 random TCP sockets back to the client per dumper 
process. (one for data, one for messages and one for index, if indexing is 
enabled.)
4) data starts shuffling.

The problem with a firewall is step 2. Since most firewalls are set up to 
allow any outgoing traffic, the others steps usually have no problems. But 
that random UDP port back in to the server is usually blocked. This causes a 
symptom of "timeout waiting ack" in /tmp/amanda/amandad.debug on the client.

The solution is to use two of the configure directives. configure 
- --with-portrange=xxx,yyy will restrict your tcp ports to the given range. 
This is standard functionality as of 2.4.1.

However this will NOT restrict that UDP port at all. you need to d/l the 
2.4.2beta from the snapshots site (as of this writing 2.4.2 is still beta 
test) configure 2.4.2 with the new --with-udpportrange=xxx,yyy directive.

You must pick ports under 1024 or amanda will complain of "insecure ports 
used" those ports should of course not conflict with other services listed in 
/etc/services. ( I suggest 850-854 or 859)

Ypu must also open your firewall up to both UDP and TCP ports, in the range 
you specified, from your clients to your server.

Hope this helps!
mark@globalcenter.net.au

- -- 
"We should not be trying to use technical solutions
to solve a social problem."  
[Thomas R. Stephenson ("about SPAM" - Pegasus list 16.12.1999)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9/vZJEyTmlrVpUvwRAqTEAJ0W/3XfvJ0uBYh2xrvhclGpywt3NwCfQvSV
+WvUto503JtKFhyCdHJxWKg=
=Vy/J
-----END PGP SIGNATURE-----

Reply to:

References:
- backup
  - From: Russell Coker <russell@coker.com.au>
- Re: backup
  - From: Tommi Virtanen <tv-nospam.2aef2c@debian.org>
- Re: backup
  - From: Torbjorn Pettersson <tobbe@strul.nu>

Prev by Date: Re: backup
Next by Date: Cron / MRTG problems
Previous by thread: Re: backup
Next by thread: Re: backup
Index(es):
- Date
- Thread