Re: uucp via tcp through firewall fails

From: Steve M. Fabac, Jr. (smfabac_at_att.net)
Date: 02/15/04 

Date: Sun, 15 Feb 2004 07:54:46 GMT

Jeff Liebermann wrote:
>
> On Thu, 12 Feb 2004 18:10:56 GMT, "Steve M. Fabac, Jr."
> <smfabac@att.net> wrote:
>
> >I reconfigured a new client's system to move the SCO 5.0.6 system behind the firewall
> >(cayman 3546) and now uucp via tcp fails.
> >
> >Previously, the clients configuration put the UNIX box on the Internet naked, full access,
> >very bad.
>
> Bad idea. Firewalls are a good thing.

We agree on that.

>
> >I deleted the firewall setting that mapped the external WAN IP directly to the LAN IP of
> >the
> >UNIX system.
>
> Also bad idea. That opens all ports to the Unix box which is almost
> as bad as having it directly exposed to the internet.
>
That's what I told the client as to why I am changing his system. Since I was called to
set up his new WinXP desktop system and troubleshoot why his Windows PC are not able to
print to the UNIX printer (see my post on AFPS printing problems), he was questioning why
I had become excited when I begin examining his LAN configuration and the router settings.

> >I have created pin-holes (Cayman's name for port mapping) allowing 22, 25, 113, 117, and
> >540
> >to reach the UNIX system.
>
> Overkill. For UUCP over TCP, you only need a hole at port 540/TCP for
> TCP. I'm currently getting my email via this method. However, I do
> recall that I had to enable ident and open a port for it 113/TCP.

That's good to know. The remote system administrator (software developer that is
aggregating inventory updates from multiple locations and updating the locations
with the combined inventory figures) "thought" that 117 and 540 were needed. I
thought to open 113 in the event that uucp needs IDENT. How do I tell if IDENT is
enabled? It's listed in /etc/services, but what else is necessary?

>
> >Executing uutry -x9 hostname results in:
> >> Device Type TCP wanted
> >> ProtoStr = ee
> >> Internal caller type TCP
> >> tcpdial host host2, port 540
> >> family: 2
> >> port: 7170
> >> addr: 4203fcd0
> >> timed out
> >> timeout tcpopen
> >> ProtoStr = eee
> >> Internal caller type TCP
> >> tcpdial host host2, port 540
> >> family: 2
> >> port: 7170
> >> addr: 4203fcd0
> >> timed out
> >> timeout tcpopen
> >> getto ret -1
> >> Call Failed: NO DEVICES AVAILABLE
> >> lockname(/usr/spool/uucp/LCK..host2)
> >> exit code 101
> >> Conversation Complete: Status FAILED
> >>
> >> TM_cnt: 0
>
> OK. An open to port 540 on the remote machine failed. Can you telnet
> to port 540 on the remote machine (host2)? You should get a login:
> prompt. Type some garbage <enter> and it should disconnect. If there
> are other machines available behind your firewall, also try it from
> there.

The same suggestion from John Dubois. I tried it and the test failed:
# telnet host2 540
Trying 208.XXX.XXX.XX... (address obfuscated)
telnet: Unable to connect to remote host: Connection timed out
#
>
> >After seeing the above, I created another pinhole for port 7170, rebooted the Cayman
> >router
> >and still get the same result.
>
> No, no, no. The port 7190 is the *OUTGOING* port number on the LAN
> side of your router, which is transparent. It will be a different
> port number every time poll for mail. No need for any port
> redirection.
>
> >The pinholes I created are all TCP. Is uucp over tcp trying to make a udp connection?
>
> Nope. TCP only.
>
> >Any suggestions/comments welcome
>
> Is there more than one router involved in this system? Duz the other
> router work or is it also a new router?

I don't know what's at the remote end. The local router was only changed to delete the
external address -> internal UNIX system IP mapping, and to move the internal LAN network
from 12.100.161. to 192.168.10.

>
> The Cayman 3546 ADSL "gateway" has many features that drove me insane.
> One was the ability to route multiple IP addresses through a single
> connecting address to the ISP. This was quite useful and was one
> reason why SBC supplied these routers with their 5 IP address service.
> The other is that it make sharing a 5 IP roputed connection more
> difficult than with a 5 IP bridged connection. I scribbled a short
> description of how it works at:
> http://www.LearnByDestroying.com/crud/5IP.txt
> The problem is that it really makes a mess of doing IP port
> redirection. More simply, you cannot do IP port redirection if you're
> using the 5IP *routed* IP topology, but can with the 5IP *bridged*
> topology. I ended up using additional cheap routers to solve the
> problem as scribbled in the above document.

I will check the link above and review your information. Presently, I have
had to re-map the external IP to the UNIX IP (putting the box back outside
the firewall) to re-establish uucp for the inventory updates. As I indicated
to John, I have no way of knowing if the local machine was successful in
originating connections to the remote machine before I became involved with
the client on 2/11. Since the telnet test to remote host port 540 shown
above times out, there exists the possibility that the remote system IP has
been changed some time in the past and does not match the IP in the local
system's /etc/host file. On Monday, I'll call the remote administrator and
verify the public IP of his system matches the entry in /etc/hosts and then
correct /etc/hosts if it does not. Once uutry host2 succeeds in originating
a connection with the IP map, I will delete the map and recreate the
pinholes for ports 540, 117, 22, and 113 and test again.
>
> --
> Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
> (831)421-6491 pgr (831)336-2558 home
> http://www.LearnByDestroying.com AE6KS
> jeffl@comix.santa-cruz.ca.us jeffl@cruzio.com 

--
                                      Steve Fabac
                                       S.M. Fabac & Associates
                                        816/765-1670

Relevant Pages

  • Re: Remote Desktop
    ... Wireless router that I have set up to forward port 3389 to the IP address I ... If so its possible the firewall is configured to only allow Remote ... Al Jarvi (MS-MVP Windows Networking) ...
    (microsoft.public.windowsxp.network_web)
  • Re: Remote Desktop
    ... Wireless router that I have set up to forward port 3389 to the IP address I ... If so its possible the firewall is configured to only allow Remote ... Al Jarvi (MS-MVP Windows Networking) ...
    (microsoft.public.windowsxp.network_web)
  • Re: Accessing Multiple Desktops At Office Via XP VPN
    ... Does your router setup look something like this (just change the ... System and on the Remote page -> Remote Desktop section put a ... Remote Desktop is checked. ... > not put anything in Port Forwarding or Port Triggering? ...
    (microsoft.public.windowsxp.network_web)
  • Re: Remote desktop & Netgear router
    ... if you can connect to the PC from another PC using the "private LAN IP address" over your ... local LAN then Remote Desktop is obviously setup right and working. ... The issue then is the port forwarding on the router. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Port is not working, Now what?
    ... All RDC, by default, listens on port 3389. ... That is done in the router.. ... So what if ya got several remote systems that want to use RDC to remotely ... your dial up connection at your home is a major bottleneck. ...
    (microsoft.public.windowsxp.work_remotely)