The reason I am doing it with a pserver instead of ssh is because I didn't know any better. So thank you. That sounds like a good solution. I'll wait to hear how the subversion vs. cvs debate pans out and see if that interests me as well. Thanks to those of you that helped me.
Dustin On 12/1/06, Michael L Torrie <[EMAIL PROTECTED]> wrote:
On Fri, 2006-12-01 at 10:20 -0700, Dustin McQuay wrote: > Hey UUG!, > > I am having trouble getting a box (I'll refer to it as the server) at my > house set up as a cvs server. I am pretty sure the problem is the > firewall running directly on the box (iptables). It is behind a router > so I have traffic on TCP port 2401 being forwarded to it. I am pretty > sure we don't need to worry about the router being the problem because I > am also forwarding traffic on TCP port 80 to the same box and it is > dishing out web pages just fine. Is there a reason you are using the CVS server (which is insecure) instead of cvs without a server over ssh? CVS over ssh is by far the most appropriate and preferred way for accessing CVS (except for anonymous CVS). Just do export CVS_RSH=ssh export [EMAIL PROTECTED]:/var/cvs then do a standard cvs co. Ssh will prompt you for your password and it will then do all the magic stuff. You don't need any server stuff set up at all on cvs, except for sshd itself. Michael > > > Some background to the server I am having problems with: It has cvs > installed. It is running > Fedora Core 5 with a minimal number of installed packages. There exists > a group called cvs > and a user called dmcquay who is a member of the group. The cvs group > owns the cvs repository. > ================================================================= > $ uname -a > Linux gateway-tablet.app.byu.edu 2.6.17-1.2187_FC5 #1 Mon Sep 11 > 01:17:06 EDT 2006 i686 athlon i386 GNU/Linux > $ cvs --version > Concurrent Versions System (CVS) 1.11.22 (client/server) > ================================================================= > > > I set up a cvs repository on the server just fine. Then on my laptop I > did the following- > ================================================================= > $ export CVSROOT=:pserver:[EMAIL PROTECTED]:/var/cvs > $ cvs login > Logging in to :pserver:[EMAIL PROTECTED]:2401/var/cvs > CVS password: > cvs [login aborted]: connect to myserver.mydomain.org(64.20.33.115):2401 > failed: Connection refused > ================================================================= > > > Here is some info about the CVS repository I set up- > ================================================================= > $ cd /var > $ ll | grep cvs > drwxr-xr-x 3 root cvs 4096 Nov 18 17:00 cvs > $ ll cvs > total 8 > drwxrwxr-x 3 root cvs 4096 Nov 18 17:00 CVSROOT > ================================================================= > > > I didn't know why this was failing, so I ran nmap from my laptop and got > the following- > ================================================================= > $ nmap synchros.dynsns.org -p 2401 > > Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-12-01 09:44 MST > Interesting ports on 64.20.33.4: > PORT STATE SERVICE > 2401/tcp closed cvspserver > ================================================================= > > So I tried to open up port 2401 using the system-config-securitylevel > command. Pay special > attention to the Other ports section of the firewall configuration- > ================================================================= > $ system-config-securitylevel > > ┌─────────────────┤ Firewall Configuration - Customize ├─────────────────┐ > │ │ > │ You can customize your firewall in two ways. First, you can select │ > │ to allow all traffic from certain network interfaces. Second, you │ > │ can allow certain protocols explicitly through the firewall. Specify │ > │ additional ports in the form 'service:protocol', such as 'imap:tcp'. │ > │ │ > │ Trusted Devices: [ ] eth0 │ > │ │ > │ MASQUERADE Devices: [ ] eth0 │ > │ │ > │ [*] SSH [*] Telnet [*] FTP │ > │ Allow incoming: [*] WWW (HTTP) [*] Samba [*] Mail (SMTP) │ > │ [*] Secure WWW (HTTPS) │ > │ Other ports cvspserver:tcp___________ │ > │ │ > │ ┌────┐ │ > │ │ OK │ │ > │ └────┘ │ > │ │ > │ │ > └────────────────────────────────────────────────────────────────────────┘ > > $ /sbin/service iptables restart > Flushing firewall rules: [ OK ] > Setting chains to policy ACCEPT: filter [ OK ] > Unloading iptables modules: [ OK ] > Applying iptables firewall rules: [ OK ] > Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp > ================================================================= > > > Then I checked nmap again to see if that opened up the port. Nope. One > time I was able > to get it to say filtered, but not open and the CVS login still wouldn't > work when the state > was filtered. I am guessing it needs to be open- > ================================================================= > $ nmap mybox.mydomain.org -p 2401 > > Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-12-01 09:31 MST > Interesting ports on noptr.cpxserver.com (64.20.49.210): > PORT STATE SERVICE > 2401/tcp closed cvspserver > ================================================================= > > > Then I tried doing the cvs login again. This time the response the same- > ================================================================= > $ export CVSROOT=:pserver:[EMAIL PROTECTED]:/var/cvs > $ cvs login > Logging in to :pserver:[EMAIL PROTECTED]:2401/var/cvs > CVS password: > cvs [login aborted]: connect to myserver.mydomain.org(64.20.33.115):2401 > failed: Connection refused > ================================================================= > > > I also got some informtion from IP tables which seems to show that > cvspserver should be open > just like the others. > ================================================================= > $ /sbin/iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT ipv6-crypt-- anywhere anywhere > ACCEPT ipv6-auth-- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT tcp -- anywhere anywhere tcp dpt:ipp > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:cvspserver > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https > ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns > ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn > ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds > REJECT all -- anywhere anywhere reject-with icmp-host-prohibited > ================================================================= > > > It seemed odd to me that nmap sees the port as closed, yet iptables > reports it as opened. So, > just to rule the router out of the equation, I installed and ran nmap on > localhost port 2401 > from the server- > ================================================================= > $ nmap localhost -p 2401 > > Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-12-01 10:18 MST > Interesting ports on synchros.dyndns.org (127.0.0.1): > PORT STATE SERVICE > 2401/tcp closed cvspserver > ================================================================= > > > I just don't know what is going on. I tried messing with iptables on the > command line > instead of using the system-config-securitylevel command. That didn't > fix the problem. > Plus, it looks like iptables is reporting that port as open anyway. The > problem must be somewhere > else. Why can't I get an "open" status for port 2401 in nmap and why > can't I do a cvs login? > I'm so confused. Any help would be greatly appreciated. > > > Thanks in advance, > Dustin McQuay > > -------------------- > BYU Unix Users Group > http://uug.byu.edu/ > > The opinions expressed in this message are the responsibility of their > author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. > ___________________________________________________________________ > List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list > -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
