RE: CVS behind a firewall.
Which incoming ports do you restrict ? You should probably restrict 0-1023,5990-6009,2401(:)),5432 (and a few others). If you restrict them all then no packets can come through unless you set up a specific 2401 tcp proxy server. My strong suggestion is to ask a different mailing list, you'll probably get a better answer. If you're desperate, I can give you an ipchains (need a Linux 2.2 kernel afaik) script that I use and works fine for me. There are a whole bunch of ip firewall scripts on freshmeat. Try one of those. G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of William Burrow Sent: Saturday, October 13, 2001 3:06 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: CVS behind a firewall. What understanding did you gain? I have the same problem, but do not restrict ANY outgoing ports. In gnu.cvs.help, you wrote: >Thanks Larry. >You've solved my problem and improved my basic understanding ( and that of >my network administrator too !!). > > > >- Original Message - >From: "Larry Jones" <[EMAIL PROTECTED]> >To: "Tarun Garg" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Saturday, October 13, 2001 10:36 PM >Subject: Re: CVS behind a firewall. > > >> Tarun Garg writes: >> > >> > Does the cvs client randomly pick up ports at the client end ( in case >of >> > pserver)? >> >> Yes. That's the way essentially *all* TCP/IP clients work -- only the >> server uses a well-known port. >> >> > Can I specify the port to be used at the client side ? >> >> No. >> >> > Or is there something wrong with our firewalling ( or proxy) software? >> >> No. >> >> > Is there something wrong with my understanding/expectation ? >> >> Yours or your firewall administrator's. You need need to configure the >> firewall to allow outgoing connections from any (non-reserved) port to >> port 2401. The rule should look almost exactly like the rule for telnet >> except for the different well-known port number. >> >> -Larry Jones >> >> The surgeon general should issue a warning about playing with girls. -- >Calvin >> > > -- -- William Burrow -- New Brunswick, Canada o Copyright 2001 William Burrow ~ /\ ~ ()>() ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: CVS behind a firewall.
What understanding did you gain? I have the same problem, but do not restrict ANY outgoing ports. In gnu.cvs.help, you wrote: >Thanks Larry. >You've solved my problem and improved my basic understanding ( and that of >my network administrator too !!). > > > >- Original Message - >From: "Larry Jones" <[EMAIL PROTECTED]> >To: "Tarun Garg" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Saturday, October 13, 2001 10:36 PM >Subject: Re: CVS behind a firewall. > > >> Tarun Garg writes: >> > >> > Does the cvs client randomly pick up ports at the client end ( in case >of >> > pserver)? >> >> Yes. That's the way essentially *all* TCP/IP clients work -- only the >> server uses a well-known port. >> >> > Can I specify the port to be used at the client side ? >> >> No. >> >> > Or is there something wrong with our firewalling ( or proxy) software? >> >> No. >> >> > Is there something wrong with my understanding/expectation ? >> >> Yours or your firewall administrator's. You need need to configure the >> firewall to allow outgoing connections from any (non-reserved) port to >> port 2401. The rule should look almost exactly like the rule for telnet >> except for the different well-known port number. >> >> -Larry Jones >> >> The surgeon general should issue a warning about playing with girls. -- >Calvin >> > > -- -- William Burrow -- New Brunswick, Canada o Copyright 2001 William Burrow ~ /\ ~ ()>() ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: CVS behind a firewall.
Thanks Larry. You've solved my problem and improved my basic understanding ( and that of my network administrator too !!). - Original Message - From: "Larry Jones" <[EMAIL PROTECTED]> To: "Tarun Garg" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, October 13, 2001 10:36 PM Subject: Re: CVS behind a firewall. > Tarun Garg writes: > > > > Does the cvs client randomly pick up ports at the client end ( in case of > > pserver)? > > Yes. That's the way essentially *all* TCP/IP clients work -- only the > server uses a well-known port. > > > Can I specify the port to be used at the client side ? > > No. > > > Or is there something wrong with our firewalling ( or proxy) software? > > No. > > > Is there something wrong with my understanding/expectation ? > > Yours or your firewall administrator's. You need need to configure the > firewall to allow outgoing connections from any (non-reserved) port to > port 2401. The rule should look almost exactly like the rule for telnet > except for the different well-known port number. > > -Larry Jones > > The surgeon general should issue a warning about playing with girls. -- Calvin > ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Re: CVS behind a firewall.
Tarun Garg writes: > > Does the cvs client randomly pick up ports at the client end ( in case of > pserver)? Yes. That's the way essentially *all* TCP/IP clients work -- only the server uses a well-known port. > Can I specify the port to be used at the client side ? No. > Or is there something wrong with our firewalling ( or proxy) software? No. > Is there something wrong with my understanding/expectation ? Yours or your firewall administrator's. You need need to configure the firewall to allow outgoing connections from any (non-reserved) port to port 2401. The rule should look almost exactly like the rule for telnet except for the different well-known port number. -Larry Jones The surgeon general should issue a warning about playing with girls. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
RE: CVS behind a firewall.
This is not a CVS question. This is a firewall administration question. You'll have better luck asking a networking group. Having said that, as a guess you have a far too restrictive firewall. If you do not have any services running on a particular port, firewalling does not increase your security. So what seems to be happening is that you have firewalled all the ports so that NAT (Masquerading) does not work anymore because the return packets have nowhere to go. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tarun Garg Sent: Saturday, October 13, 2001 6:55 AM To: [EMAIL PROTECTED] Subject: CVS behind a firewall. I am trying to access a cvs repository on the net ( lets say CVSROOT=:pserver:[EMAIL PROTECTED]:/home/cvspublic) from a linux machine. The cvs client is version 1.10.8 ( bash is 2.04). We use a proxy server ( SQUID) and a firewall ( ipchains). now whenever I try to access a repository using pserver, I get a timeout. The port number 2401 is open at our end. We opened up all the ports once and tried to connect. I could connect at that time. The client was using port number 1759 at our end. We opened up that too. Still it doesn't work. I've tried repository access with via SSH. It works. Does the cvs client randomly pick up ports at the client end ( in case of pserver)? Can I specify the port to be used at the client side ? Or is there something wrong with our firewalling ( or proxy) software? Is there something wrong with my understanding/expectation ? any help/pointers would be appreciated. Thanks. ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
