An easy way to check if master-replica UDP port check actually works is
to simply configure few iptables rules to drop packets for tested UDP or
TCP ports:
A INPUT -m udp -p udp --dport 88 -j DROP
-A INPUT -m tcp -p tcp --dport 88 -j DROP
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica-master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master-replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
From 415cae5d3b63e10471e515666224863036be0ece Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Wed, 1 Feb 2012 17:12:17 +0100
Subject: [PATCH] Sanitize UDP checks in conncheck
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica-master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master-replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
---
install/tools/ipa-replica-conncheck | 58 +++
ipapython/ipautil.py| 27 ++-
2 files changed, 49 insertions(+), 36 deletions(-)
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 2622130e7c6f6ceabe6ff8a17e89412089897c5f..44b3caa45a20d3a72985c051a7982da1f9716147 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -34,6 +34,7 @@ import socket
import time
import threading
import errno
+from socket import SOCK_STREAM, SOCK_DGRAM
CONNECT_TIMEOUT = 5
RESPONDERS = [ ]
@@ -42,24 +43,24 @@ CCACHE_FILE = /etc/ipa/.conncheck_ccache
KRB5_CONFIG = None
class CheckedPort(object):
-def __init__(self, port, stream, description):
+def __init__(self, port, port_type, description):
self.port = port
-self.stream = stream
+self.port_type = port_type
self.description = description
BASE_PORTS = [
-CheckedPort(389, True, Directory Service: Unsecure port),
-CheckedPort(636, True, Directory Service: Secure port),
-CheckedPort(88, True, Kerberos KDC: TCP),
-CheckedPort(88, False, Kerberos KDC: UDP),
-CheckedPort(464, True, Kerberos Kpasswd: TCP),
-CheckedPort(464, False, Kerberos Kpasswd: UDP),
-CheckedPort(80, True, HTTP Server: Unsecure port),
-CheckedPort(443, True, HTTP Server: Secure port),
+CheckedPort(389, SOCK_STREAM, Directory Service: Unsecure port),
+CheckedPort(636, SOCK_STREAM, Directory Service: Secure port),
+CheckedPort(88, SOCK_STREAM, Kerberos KDC: TCP),
+CheckedPort(88, SOCK_DGRAM, Kerberos KDC: UDP),
+CheckedPort(464, SOCK_STREAM, Kerberos Kpasswd: TCP),
+CheckedPort(464, SOCK_DGRAM, Kerberos Kpasswd: UDP),
+CheckedPort(80, SOCK_STREAM, HTTP Server: Unsecure port),
+CheckedPort(443, SOCK_STREAM, HTTP Server: Secure port),
]
CA_PORTS = [
-CheckedPort(7389, True, PKI-CA: Directory Service port),
+CheckedPort(7389, SOCK_STREAM, PKI-CA: Directory Service port),
]
def print_info(msg):
@@ -211,18 +212,20 @@ def configure_krb5_conf(realm, kdc, filename):
class PortResponder(threading.Thread):
-def __init__(self, port, socket_stream = True, socket_timeout=1):
+def __init__(self, port, port_type, socket_timeout=1):
super(PortResponder, self).__init__()
self.port = port
-self.socket_stream = socket_stream
+self.port_type = port_type
self.socket_timeout = socket_timeout
self._stop_request = False
def run(self):
while not self._stop_request:
try:
-ipautil.bind_port_responder(self.port, self.socket_stream,
-self.socket_timeout, responder_data=FreeIPA)
+ipautil.bind_port_responder(self.port,
+self.port_type,
+socket_timeout=self.socket_timeout,
+