emerge --rsync port used?

[lostinlinux]

What port is used for this? I want to enable port fwding on my router so I can use this....right now I have to use emerge-webrsync. Right now I am getting this error when I try to emerge --sync

Code: Select all

>>> Starting rsync with rsync://64.127.121.98/gentoo-portage...
>>> Checking server timestamp ...
timed out
rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(276) [receiver=2.6.9]
>>> Retrying...

[alex.blackbit]

Code: Select all

$ grep ^rsync /etc/services

[lostinlinux]

hmmm....I have both of those fwding to my current IP and still no dice, is there a chance that error means something else?

[alex.blackbit]

i don't think that it is even necessary that you forward this port. you make a connection from your workstation to the outside world, not the other way around.
maybe you don't allow outgoing connections with that destination port?

[lostinlinux]

it was actually a combo of both, my router was dropping incoming and outgoing requests, thanks for the tip!

[jcat]

it was actually a combo of both, my router was dropping incoming and outgoing requests, thanks for the tip!

It certainly should not be a combination of both, if your router is configured to in NAT mode (as most are these days).

If it's a NATed config, you need to remove your incoming port forwards for rsync and just allow rsync outgoing. Most firewalls default config is to allow allow packets with state ESTABLISHED and RELATED back in to the network.
So you initiate the rsync connection from within your private network and the reply packets from the rsync server are allowed back in because they are using an ESTABLISHED or RELATED connection.

Allowing unnecessary port to be forwarded to internal hosts is a security risk, if you don't need them (as I believe could well be the case here) then disable them.

Did you have to set-up incoming port forwarding for http access? I'm guessing not... (although I may be wrong!)




Cheers,
jcat

[lostinlinux]

I did not, I will give just setting the other up when I sit down in front of the box again and let you know how it turns out

[lostinlinux]

so actually my router is not setup as you say....I don't have a section that says anything about natting...here is my current configs (which do specify something for http)

Code: Select all

title       [ Custom to Allow RSYNC High IN rules ]

begin
RulesDropFrom192
drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]
RulesDropTTL
drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]

RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]
RulesDrop
drop all

RulesPass
pass from port 51413
pass to port 51413
pass from port 5190
pass from port 5190
pass from port 873
pass to port 873
pass from port 80
pass to port 80
pass from port 20
pass to port 20
pass from port 21
pass from port 110
pass from port 119
pass from port 143
pass from port 220
pass from port 25
pass from port 443
pass from port 500
pass protocol 50
RulesDropWANUDP
drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]
RulesDropWANTCP
drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]
RulesDropWANIP
drop to addr %WANADDR%:32 >> done, alert 4 [IP WAN Traffic to WAN IP]

end

Code: Select all

title       [ Custom to Allow RSYNC High OUT rules ]

begin
# Protocol Match conditions
RulesPass
pass to port 51413 >> done
pass from port 51413 >> done
pass to port 5190 >> done
pass from port 5190 >> done
pass to port 80 >> done
pass from port 80 >> done
pass to port 873 >> done
pass from port 873 >> done
pass protocol udp, to port 53 >> state, done
pass to port 20 >> done
pass from port 20 >> done
pass to port 21 >> done
pass to port 110 >> done
pass to port 119 >> done
pass to port 143 >> done
pass to port 220 >> done
pass to port 25 >> done
pass to port 443 >> done
pass to port 500 >> done
pass protocol 50 >> done
pass protocol tcp, from addr %LANADDR% >> state, done

# Failed to match
RulesDrop
drop all >> done, alert 4 [Unsupported High Application]

end

I am not too familiar with the syntax above but if anyone can shed some light on how to do this nating i'd be up for trying it. FYI this is a Westell D90-327W15-06

EDIT***

a little googling provided me what you were referring to, I now use the following rules which work well.

Code: Select all

title       [ Security Level Custom (Medium) IN rules ]

begin

RulesDropTTL
drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]
drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

RulesDropAddress
drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Pass and Log Specific Unsolicited ICMP
RulesPassICMP
#pass icmp-type reply >> done, alert 0 [ICMP Message To WAN IP - Echo Reply - Passed] # Type: 0 (allow ping reply)
pass icmp-type exceeded >> done, alert 1 [ICMP Message To WAN IP - TTL Exceeded - Passed] # Type: 11 (allow tracert reply)
#pass icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Passed] # Type: 3 (allow unreachable reply)

# Drop and Log all Unsolicited ICMP
RulesDropICMP
#drop protocol icmp >> alert 4 [ICMP Message To WAN IP]
drop icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block ping reply)
drop icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block tracert reply)
drop icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)
drop icmp-type request >> done, alert 2 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block ping requests)
drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)

# Drop All Unsolicited Inbound
RulesDrop
drop all >> alert 3 [Drop All Unsolicited Inbound]

end

Code: Select all

title       [ Custom to Allow RSYNC High OUT rules ]

begin
# Protocol Match conditions
RulesPass
pass to port 51413 >> state, done
pass from port 51413 >> state, done
pass to port 5190 >> state, done
pass from port 5190 >> state, done
pass to port 80 >> state, done
pass from port 80 >> state, done
pass to port 873 >> state, done
pass from port 873 >> state, done
pass protocol udp, to port 53 >> state, done
#pass to port 20 >> state, done
#pass from port 20 >> state, done
pass to port 123 >> state, done
pass from port 123 >> state, done
#pass to port 21 >> state, done
pass to port 110 >> state, done
pass to port 119 >> state, done
pass to port 143 >> state, done
pass to port 220 >> state, done
pass to port 25 >> state, done
pass to port 443 >> state, done
pass to port 500 >> state, done
pass protocol 50 >> state, done
pass protocol tcp, from addr %LANADDR% >> state, done

pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port
pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port
pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP Ports
#Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement

# Failed to match
RulesDrop
drop all >> done, alert 4 [Unsupported High Application]


end

now if I understand this correctly it passes only connections I have initiated. Anyone with a westell 327w or similiar or knows this syntax I'd love to have comments (this post was helpful http://www.dslreports.com/forum/remark,16694222. Only stickign point is PASV FTP doesn't seem to work. Anyone have any clue about that one?

[jcat]

I'm not familiar with your particular device, just the general networking principles involved, as long as you don't allow anyone to initiate sessions from the outside (unless it's really needed, like you're running a publicly available server) then you're fairly safe.

You can always try and port scan the Public IP of you router, see if anything is open or not (this usually has to be done from an external host somewhere).



FYI FTP can be a real pain in the arse on some devices!



Cheers,
jcat