From owner-freebsd-pf@FreeBSD.ORG Tue Apr 3 19:19:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9649816A402 for ; Tue, 3 Apr 2007 19:19:03 +0000 (UTC) (envelope-from rand@meridian-enviro.com) Received: from newman.meridian-enviro.com (newman.meridian-enviro.com [67.134.74.56]) by mx1.freebsd.org (Postfix) with ESMTP id E76BA13C45B for ; Tue, 3 Apr 2007 19:19:02 +0000 (UTC) (envelope-from rand@meridian-enviro.com) X-Envelope-To: vchepkov@gmail.com Received: from delta.meridian-enviro.com (delta.meridian-enviro.com [10.10.10.43]) by newman.meridian-enviro.com (8.13.6/8.13.6) with ESMTP id l33Iv6dq068024; Tue, 3 Apr 2007 13:57:06 -0500 (CDT) (envelope-from rand@meridian-enviro.com) Received: (from rand@localhost) by delta.meridian-enviro.com (8.13.8/8.13.8/Submit) id l33Iv62M052776; Tue, 3 Apr 2007 13:57:06 -0500 (CDT) (envelope-from rand@delta.meridian-enviro.com) To: "Vadym Chepkov" References: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> From: rand@meridian-enviro.com (Douglas K. Rand) Date: 03 Apr 2007 13:57:05 -0500 In-Reply-To: <00d901c773e7$b20218f0$0610a8c0@chepkov.lan> Message-ID: <87648dgubi.fsf@delta.meridian-enviro.com> Lines: 63 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Virus-Scanned: ClamAV 0.88.4/3007/Tue Apr 3 07:26:03 2007 on newman.meridian-enviro.com X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: packet filter and amanda X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 19:19:03 -0000 Vadym> Hello everybody, Hello Vadym> I have a router with FreeBSD 6.2-RELEASE-p1 with custom buld kernel: Vadym> device pf # PF OpenBSD packet-filter firewall Vadym> device pflog # logging support interface for PF Vadym> I am using amanda to backup a client which is behind router Vadym> with pf running amanda server - FreeBSD pf - amanda client Vadym> I compiled amanda with tcp/udp port ranges but I can get that far. We use the knobs in /etc/make.conf to control which ports Amanda uses: AMANDA_PORTRANGE = 50001,50099 AMANDA_UDPPORTRANGE = 801,899 Please note that recent versions of Amanda were not correctly respecting the AMANDA_PORTRANGE knob. You need a ports tree that is post PR 110687. It was unclear to me if you are trying to backup your firewall or systems on the other side of your firewall. For backups of the actual firewall you need to allow traffic from your Amanda server from any arbitrary UDP port to port 10080 on your firewall. You also need to allow TCP connections from any port on your Amanda server to your firewall in the range defined by AMANDA_PORTRANGE. And lastly, your firewall needs to allow UDP traffic originating from port 10080 from itself heading back to the Amanda server destined for ports in AMANDA_UDPPORTRANGE. The reference on Amanda FAQ is at http://amanda.sourceforge.net/cgi-bin/fom?_highlightWords=10080&file=139 Snippets of our ruleset: int_amanda="{ 10.10.10.26/32, 67.134.74.26/32 }" amanda_tcp="50000:50100" amanda_udp="800:900" [...] pass in log quick inet proto tcp from $int_amanda to port $amanda_tcp flags S/SARF keep state (no-sync) pass in log quick inet proto udp from $int_amanda to $int port amanda keep state (no-sync) [...] pass out log quick on $int inet proto udp from $int to $int_amanda port $amanda_udp keep state (no-sync) [...] pass log quick inet proto udp from port = amanda to $int_amanda port $amanda_udp And on a DMZ host we have: amanda="67.134.74.26" amandatcpports="50000:50100" amandaudpports="800:900" [...] pass in log quick inet proto tcp from $amanda to $lan port $amandatcpports flags S/SARF keep state pass in log quick inet proto udp from $amanda to $lan port amanda keep state [...] pass out log quick inet proto udp from $lan port amanda to $amanda port $amandaudpports keep state Hope this helps.