Date: 03 Apr 2007 13:57:05 -0500 From: rand@meridian-enviro.com (Douglas K. Rand) To: "Vadym Chepkov" <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: packet filter and amanda Message-ID: <87648dgubi.fsf@delta.meridian-enviro.com> In-Reply-To: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Vadym> Hello everybody, Hello Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel: Vadym> device pf # PF OpenBSD packet-filter firewall Vadym> device pflog # logging support interface for PF Vadym> I am using amanda to backup a client which is behind router Vadym> with pf running amanda server - FreeBSD pf - amanda client Vadym> I compiled amanda with tcp/udp port ranges but I can get that far. We use the knobs in /etc/make.conf to control which ports Amanda uses: AMANDA_PORTRANGE = 50001,50099 AMANDA_UDPPORTRANGE = 801,899 Please note that recent versions of Amanda were not correctly respecting the AMANDA_PORTRANGE knob. You need a ports tree that is post PR 110687. It was unclear to me if you are trying to backup your firewall or systems on the other side of your firewall. For backups of the actual firewall you need to allow traffic from your Amanda server from any arbitrary UDP port to port 10080 on your firewall. You also need to allow TCP connections from any port on your Amanda server to your firewall in the range defined by AMANDA_PORTRANGE. And lastly, your firewall needs to allow UDP traffic originating from port 10080 from itself heading back to the Amanda server destined for ports in AMANDA_UDPPORTRANGE. The reference on Amanda FAQ is at http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139 Snippets of our ruleset: int_amanda="{ 10.10.10.26/32, 67.134.74.26/32 }" amanda_tcp="50000:50100" amanda_udp="800:900" [...] pass in log quick inet proto tcp from $int_amanda to <dmz> port $amanda_tcp flags S/SARF keep state (no-sync) pass in log quick inet proto udp from $int_amanda to $int port amanda keep state (no-sync) [...] pass out log quick on $int inet proto udp from $int to $int_amanda port $amanda_udp keep state (no-sync) [...] pass log quick inet proto udp from <dmz> port = amanda to $int_amanda port $amanda_udp And on a DMZ host we have: amanda="67.134.74.26" amandatcpports="50000:50100" amandaudpports="800:900" [...] pass in log quick inet proto tcp from $amanda to $lan port $amandatcpports flags S/SARF keep state pass in log quick inet proto udp from $amanda to $lan port amanda keep state [...] pass out log quick inet proto udp from $lan port amanda to $amanda port $amandaudpports keep state Hope this helps.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87648dgubi.fsf>