Re: possible firewall filtering issues (port 9279 not blocked though)
On 01/28/13 14:56, N.J. Thomas wrote: > I'm attempting to run tarsnap on a machine behind a perimeter firewall, > but there's none on the box itself. > > AFAIK, the firewall is not filtering port 9279. > > However, any tarsnap operation I run hangs indefinitely, and eventually > dies. > > Running tcpdump/wireshark and sniffing the connection shows that there > is definitely communication going on between my box and the tarsnap > server (on Amazon), however at some point, the tarsnap server refuses to > continue speaking to my box, and then hangs. > > Anyone seen anything similar before? > > I suspect my firewall may be to blame, but I'm not sure exactly what is > going on. > > fwiw: I'm running tarsnap-1.0.33 built from ports on a FreeBSD > 9.1-RELEASE box (amd64). My account is used successfully on a separate > machine (with another key), so I know that works, I generated a new key > for this particular box. Where did you generate the new key? Behind this firewall, or elsewhere? > cperciva: I can send you the tcpdump capture file output if you like. That would be good, but even better would be if you can tell me what IP address you're connecting from so that I can look in my logs. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid
Re: possible firewall filtering issues (port 9279 not blocked though)
* Colin Percival [2013-01-28 15:15:28-0800]: > > fwiw: I'm running tarsnap-1.0.33 built from ports on a FreeBSD > > 9.1-RELEASE box (amd64). My account is used successfully on a separate > > machine (with another key), so I know that works, I generated a new key > > for this particular box. > > Where did you generate the new key? Behind this firewall, or elsewhere? The new key generation also hung on the new box, so I generated it on the old (working box) and copied it over) > That would be good, but even better would be if you can tell me what IP > address you're connecting from so that I can look in my logs. Okay, will send this to you under cover of separate email. Thomas
Re: possible firewall filtering issues (port 9279 not blocked though)
* N.J. Thomas [2013-01-29 11:09:16-0500]: > > That would be good, but even better would be if you can tell me what IP > > address you're connecting from so that I can look in my logs. > > Okay, will send this to you under cover of separate email. List update: After some research, it was noted that each side can initially talk to the other, but about half a second into the conversation, everything gets blocked. This is almost certainly due to the perimeter firewall on my end, which does deep packet inspection. I will follow up with the folks that admin the device to verify. Thomas
Re: possible firewall filtering issues (port 9279 not blocked though)
* N.J. Thomas [2013-01-29 23:40:04-0500]: > This is almost certainly due to the perimeter firewall on my end, which > does deep packet inspection. I will follow up with the folks that admin > the device to verify. Confirmed that this was indeed the case. The firewall appliance in question did not recognize 9279 as an authorized port. But instead of blocking it like a normal firewall, it goes one step further and inspects the connection (that's why both sides could talk to each other initially for about half a second). It didn't recognize that as an authorized protocol, and so blocked off the connection. I now have to ask if they will open it up for me, but that's another matter entirely. Thanks Colin for helping debug this. Thomas
