#22 Documentation about amanda confusing

[Olivier Berger]

Hi.

I'd like to suggest improvement of the documentation
concerning the amanda rule.

In the case where firehol will be installed on the
amanda client, it is not clear from the docs what needs
to be setup exactly.

The addresses given as an example cannot be
distinguished between amanda client or amanda server.

From my experience, in this case, two things were
necessary :

1) to declare a rule like :
client amanda accept src 5.6.7.8
where 5.6.7.8 is the amanda server

2) to load the ip_conntrack_amanda linux kernel module.

Didn't try the firehol setup on an amanda server or the
situation where amanda server and clients are on both
sides of a firewall.

I hope this helps.

Best regards,

[Costa Tsaousis]

Logged In: YES
user_id=582393

Hi,

the current implementation of the amanda service in FireHOL
does not depend on the ip_conntrack_amanda kernel
module, since:

a) the FireHOL service 'amanda' was created before the
kernel module, and
b) older kernels do not have this module available.

I don't see where the confusion is. Possibly I should add that
the firehol 'amanda' service does not depend on the kernel
module. Will this make things more clear?

[Olivier Berger]

Logged In: YES
user_id=1341532

Well... I'm afraid I don't understand.

From what I've seen on my system which is an amanda client
and on which firehol is running.
If there's only the definition of using the amanda service,
with "client amanda accept src x.y.z.n", this won't be enough.
To let amanda work, ip_conntrack_amanda module is to be
loaded also.

In any case, I think it is not clearly explained in the docs
when a rule like "client amanda" or "server amanda" should
be used, and in the case of the client rule (for firehol
running on the amanda client) if the src or dst of the
packets should refer to the amanda server...

Hope it's clearer now.

Thanks anyway for the great tool ;)

So I think

[Olivier Berger]

Logged In: YES
user_id=1341532

Oops... consider the last line of latest comment a mistake
("so I think").

[Costa Tsaousis]

Logged In: YES
user_id=582393

Olivier,

1) The right statement is:

client amanda accept dst x.y.z.w

It is a 'dst' not an 'src'. May be that is why it didn't
work for you.

2) As I have stated in many places in the documentation, the
optional rule parameters (like 'dst', 'src', etc) match the
request, and as far as FireHOL is concerned, a client always
is sending requests (matched with 'dst') which are received
by a server (matched with 'src').

In other words, the 'src' of a client statement is the
client host and the 'dst' for a server statement is the
server host. Similarly, to match the remote host you need
'dst' for a client and 'src' for a server.

I hope it is more clear now...

Costa

[Olivier Berger]

Logged In: YES
user_id=1341532

>Comment By: Costa Tsaousis (ktsaou)
>
Olivier,
>
> 1) The right statement is:
>
> client amanda accept dst x.y.z.w
>
> It is a 'dst' not an 'src'. May be that is why it didn't
> work for you.
>
> 2) As I have stated in many places in the documentation, the
> optional rule parameters (like 'dst', 'src', etc) match the
> request, and as far as FireHOL is concerned, a client always
> is sending requests (matched with 'dst') which are received
> by a server (matched with 'src').
>
> In other words, the 'src' of a client statement is the
> client host and the 'dst' for a server statement is the
> server host. Similarly, to match the remote host you need
> 'dst' for a client and 'src' for a server.
>
> I hope it is more clear now...
>
> Costa
>
>
In principle, I think it makes sense... but as far as I've
tried, it didn't work to use "client amanda accept dst
x.y.z.w" on my system.

If I get it right, the amanda system requires something like
a server working on the amanda client actually : the amanda
server will ask the amanda client to prepare for a dump,
then the client will open ports (which aren't known in a
static way), then the amanda server will connect to these
and grab the dump.

(More details on this in
http://www.int-evry.fr/mci/user/procacci/Doc/amanda.html#htoc15
written by one of our admins... in french, sorry... and also
:
http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139\)

So maybe the thing is that an amanda client is actually
rather a server in terms of firewalling than a client...

Maybe it works by specifying a server rule on the amanda
client then.

In any case, it maybe complicated enough (compared to HTTP
or other protocols) to require a detailed documentation...

Well, I'd like to test with a server setting on my amanda
client, just to be sure, but I need to wait 'til next day to
see results... and this is a production server where I
prefer not to block the backups :(...

Sorry for your time... I'd like to help document it in the
best way so that others don't block their backups when
installing firehol (pretty risky) by not configuring properly ;)

[Nobody/Anonymous]

Logged In: NO

I found the problem with the acess to amanda client on
/etc/init.d/firehol script.

rule ${in} action "$@" chain
"${in}_${mychain}" proto "tcp udp" sport
"${FIREHOL_AMANDA_PORTS}" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "$@" chain
"${out}_${mychain}" proto "tcp udp" sport
"${FIREHOL_AMANDA_PORTS}" state ESTABLISHED || return 1

This lines must contain sport and not dport like it was.

And the correct syntax for the rule in the
/etc/firehol/firehol.conf is:

AMANDA_SERVER=w.x.y.z

server amanda accept src "${AMANDA_SERVER}"

I hope this solve your problem.

[]'s

Davi Santos Oliveira