packet filter and amanda

Douglas K. Rand rand at meridian-enviro.com
Tue Apr 3 19:19:03 UTC 2007 

Vadym> Hello everybody,

Hello

Vadym> I have a router with  FreeBSD 6.2-RELEASE-p1 with custom buld kernel:

Vadym> device          pf              # PF OpenBSD packet-filter firewall
Vadym> device          pflog           # logging support interface for PF

Vadym> I am using amanda to backup a client which is behind router
Vadym> with pf running amanda server - FreeBSD pf - amanda client

Vadym> I compiled amanda with tcp/udp port ranges but I can get that far.

We use the knobs in /etc/make.conf to control which ports Amanda uses:

   AMANDA_PORTRANGE = 50001,50099
   AMANDA_UDPPORTRANGE = 801,899

Please note that recent versions of Amanda were not correctly
respecting the AMANDA_PORTRANGE knob. You need a ports tree that is
post PR 110687.

It was unclear to me if you are trying to backup your firewall or
systems on the other side of your firewall. For backups of the actual
firewall you need to allow traffic from your Amanda server from any
arbitrary UDP port to port 10080 on your firewall. You also need to
allow TCP connections from any port on your Amanda server to your
firewall in the range defined by AMANDA_PORTRANGE. And lastly, your
firewall needs to allow UDP traffic originating from port 10080 from
itself heading back to the Amanda server destined for ports in
AMANDA_UDPPORTRANGE.

The reference on Amanda FAQ is at

   http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139

Snippets of our ruleset:

int_amanda="{ 10.10.10.26/32, 67.134.74.26/32 }"
amanda_tcp="50000:50100"
amanda_udp="800:900"
[...]
pass  in log quick inet proto tcp  from $int_amanda  to <dmz> port $amanda_tcp flags S/SARF keep state (no-sync)
pass  in log quick inet proto udp  from $int_amanda  to $int  port amanda                   keep state (no-sync)
[...]
pass out log quick on $int inet proto udp  from $int to $int_amanda  port $amanda_udp keep state (no-sync)
[...]
pass log quick inet proto udp from <dmz>        port = amanda  to $int_amanda port $amanda_udp


And on a DMZ host we have:

amanda="67.134.74.26"
amandatcpports="50000:50100"
amandaudpports="800:900"
[...]
pass in  log quick inet proto tcp  from $amanda    to $lan port $amandatcpports flags S/SARF keep state
pass in  log quick inet proto udp  from $amanda    to $lan port amanda                       keep state
[...]
pass out log quick inet proto udp  from $lan port amanda to $amanda port $amandaudpports   keep state

Hope this helps.

More information about the freebsd-pf mailing list