[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rsync/IPTables Help


Outbound service requests generally use a high port (above 1024), the
important piece is that the destination port is the port of the service
requested. There are basically four pieces to a TCP connection:

Source IP, Source Port
Destination IP, Destination Port

In order to get this to work through a firewall, you can set the rules
accordingly.  I am not sure how you do that on your firewall, but if the
machine is on your home network a solution would be to allow inbound traffic
for outbound service requests.  IPFilter does this by using the KEEP STATE
directive.  I'm sure IP Tables has something similar.


-----Original Message-----
From: silug-discuss-owner@silug.org
[mailto:silug-discuss-owner@silug.org]On Behalf Of John Bell
Sent: Wednesday, October 02, 2002 8:06 PM
To: silug-discuss@silug.org
Subject: Re: Rsync/IPTables Help

On Wed, 2002-10-02 at 10:13, Steven Pritchard wrote:
> On Tue, Oct 01, 2002 at 09:29:16PM -0500, John Bell wrote:
> > I'm having trouble with RSync.  I am 99.99% sure my problem is the
> > firewall.  What ports do I need to open up to allow rsync to operate?  I
> > know I need to open up 873, but are there any others?
> You'd only need to open that up if you wanted to run rsync as a
> daemon (like for running an anonymous rsync service).
> What exactly are you trying to do?

Well, to start with I was trying to grab RH80 off of the silug ftp site
using the rsync command you suggested in one of your emails.  However,
after several attempts ended in errors almost immediately with the
following message:

	rsync: failed to connect to ftp.silug.org: Connection refused
	rsync error: error in socket IO (code 10) at clientserver.c(89)

I decided to look into the firewall logs. And this is what I found:

Oct  2 19:53:08 linda kernel: TCP reject IN= OUT=eth1 SRC=
DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20066 DF
PROTO=TCP SPT=33278 DPT=873 WINDOW=5840 RES=0x00 SYN URGP=0 

Clearly my firewall is rejecting the rsync packets.  I am using an
iptables based firewall script that is very easy for a novice to
configure.  The configuration is done by setting a bunch of variables in
a config file to either 1 or 0.  Example:

etc, etc, etc

You get the idea.  Well, the script does not support turning rsync on
and off, so I want to extend it to do so.  I want to add two switches
that control RSYNC_CLIENT and RSYNC_SERVER rules appropriately.  So,
from a firewall perspective what ports does rsync need as a server and
what ports does it need as a client?  Is port 873 used in all cases,
only in different directions?  One question however, the rejected packet
has a source port of 33278, could you explain why to a firewall novice?


> > Is it like ftp and does it use one for data and one for control?
> No, it's straight TCP on a single channel.
> Steve
> -- 
> steve@silug.org           | Southern Illinois Linux Users Group
> (618)398-7360             | See web site for meeting details.
> Steven Pritchard          | http://www.silug.org/
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.