Re: netsync with port forwarding -- SOLVED
>> I believe you could also enable the incoming connections on the port in >> the firewall settings… > >That's what I did originally on port 4691, and it did not work. >I suspect that netsync sets up an other port that the modem firewall >does not know about. Is the port usage of netsync documented somewhere? > >> on the other hand, if you want incoming >> connections, it's on the server, so I guess you can call it a win… Netsync is described in netsync.txt, but there it just talks about one connection (that can also be standard I/O, as in case of ssh:)
Re: netsync with port forwarding -- SOLVED
On Tue, Jun 08, 2021 at 10:16:18PM +0200, Michael Raskin wrote: > >I believe I got it to work? I found one more trick in the cofiguration > >menu. Theres a firewall, which knows about proper redirection for a > >large number of protocols, but not netsync. > >It turns out to have a garbage destination -- where to send all packets > >that it doesn't know what to do with. This is presumably intended to ba > >a machine that cac collect statistics and check for ossible attacks. > > > >So I just designate my server as my garbage machine. > > I believe you could also enable the incoming connections on the port in > the firewall settings… That's what I did originally on port 4691, and it did not work. I suspect that netsync sets up an other port that the modem firewall does not know about. Is the port usage of netsync documented somewhere? > on the other hand, if you want incoming > connections, it's on the server, so I guess you can call it a win… > > >It will ignore any port that's not open, and I control that by what > >services I choose to provide. > > > >And if netsync uses the familiar trick of initiating a connexion on port > >4691 and than replying to say what port the rest of the comminication > >should take place on, > >* it ould formerly get lost because redirection treats it as a attack, > >* But now it's sent to the garbage machine, which does know what to do > >with it. > > Pretty sure it does not… Because the garbage machine *is* the server, it does know what to do. For anything but the ports it opens (which might be dynamically assigned for some protocols) it just drops incoming junk. And for netsync, the process on the server opening the right ports is usher, which knows what to do with netsync. > > >And I went to a coffee shop to check it's working. > > Oh well, that's what matters Yes. -- hendrik
Re: netsync with port forwarding -- SOLVED
On Sun, Jun 06, 2021 at 08:21:44PM +0200, Michael Raskin wrote: > >> >Netsync relies on some underlying conventions on the use of TCP for a > >> >two-way connexion. Is there some other protocol that shares these > >> >conventions? If so I could tell the modem that this other protocol is > >> >now being used on port 4691. > >> > >> I would frankly start with tcpdump on both sides while trying to connect > >> from outside. Routers can break so many things it is not even funny… > > > >I know. A port forwarding NAT is an intense kludge. > > Static port forwarding doesn't need to be, however routers sometimes > have a ton of interesting modes that make things complicated, usually > not well named. > > Also, it could be that the router port forwards only connections from > outside, while the ISP by default blocks incoming traffic on unknown > ports. In the latter case there are two options: actually believing it > is good for safety, and letting through the ports explicitly requested > (if a person can explain what port is needed, this person can probably > be made to clean up their PC if malware gets too annoying for the > network); or trying to make residential connections less attractive > compared to business connections (doesn't work well in the world of > cheap VPS, but…) > > >There was once a publicly accessible site of monotone repositories > >called something like mtn-prjk.net -- a kind of github for monotone. > >That would have accomplished my desire. Alas! it exists no more. > > mtn-host.prjek.net, yes… > > >Does netsync support IPv6? > > > >If so there will still be the question of whether the public and the > >coffee ships do.) > > In principle Monotone even has some code conditional on IPv6 being used. > Among ISPs, both coverage and brokenness vary for IPv6… > I believe I got it to work? I found one more trick in the cofiguration menu. Theres a firewall, which knows about proper redirection for a large number of protocols, but not netsync. It turns out to have a garbage destination -- where to send all packets that it doesn't know what to do with. This is presumably intended to ba a machine that cac collect statistics and check for ossible attacks. So I just designate my server as my garbage machine. It will ignore any port that's not open, and I control that by what services I choose to provide. And if netsync uses the familiar trick of initiating a connexion on port 4691 and than replying to say what port the rest of the comminication should take place on, * it ould formerly get lost because redirection treats it as a attack, * But now it's sent to the garbage machine, which does know what to do with it. And I went to a coffee shop to check it's working. -- hendrik
Re: netsync with port forwarding
>> >Netsync relies on some underlying conventions on the use of TCP for a >> >two-way connexion. Is there some other protocol that shares these >> >conventions? If so I could tell the modem that this other protocol is >> >now being used on port 4691. >> >> I would frankly start with tcpdump on both sides while trying to connect >> from outside. Routers can break so many things it is not even funny… > >I know. A port forwarding NAT is an intense kludge. Static port forwarding doesn't need to be, however routers sometimes have a ton of interesting modes that make things complicated, usually not well named. Also, it could be that the router port forwards only connections from outside, while the ISP by default blocks incoming traffic on unknown ports. In the latter case there are two options: actually believing it is good for safety, and letting through the ports explicitly requested (if a person can explain what port is needed, this person can probably be made to clean up their PC if malware gets too annoying for the network); or trying to make residential connections less attractive compared to business connections (doesn't work well in the world of cheap VPS, but…) >There was once a publicly accessible site of monotone repositories >called something like mtn-prjk.net -- a kind of github for monotone. >That would have accomplished my desire. Alas! it exists no more. mtn-host.prjek.net, yes… >Does netsync support IPv6? > >If so there will still be the question of whether the public and the >coffee ships do.) In principle Monotone even has some code conditional on IPv6 being used. Among ISPs, both coverage and brokenness vary for IPv6…
Re: netsync with port forwarding
On Sun, Jun 06, 2021 at 05:03:21PM +0200, Michael Raskin wrote: > >On Sun, Jun 06, 2021 at 10:51:21AM +0200, Michael Raskin wrote: > >> >Or is here some other way of achieving the same result -- letting > >> >netsync work when I'm not at home? > >> > >> As an «adapt to the modem» approach, I would consider forwarding SSH and > >> either port forwarding netsync in SSH connection or directly using SSH > >> repository address (which means netsync through standard input/output > >> through SSH). > > > >Two approaches here. > > > >(1) persuade modem to do the right thing with port 4691. > >I've already done that, but it didn't help. Presumably because port > >forwarding is more complicated that just rewriting packets. It is also > >necessary to do some kind of connexion tracking so that replies to > >incoming conexions are properly treated. > > > >It's entirely possible that the incomming netsync connection is properly > >routed to usher, but that ushers' reply is not getting out through the > >modem. > > > >Netsync relies on some underlying conventions on the use of TCP for a > >two-way connexion. Is there some other protocol that shares these > >conventions? If so I could tell the modem that this other protocol is > >now being used on port 4691. > > I would frankly start with tcpdump on both sides while trying to connect > from outside. Routers can break so many things it is not even funny… I know. A port forwarding NAT is an intense kludge. There was once a publicly accessible site of monotone repositories called something like mtn-prjk.net -- a kind of github for monotone. That would have accomplished my desire. Alas! it exists no more. Does netsync support IPv6? If so there will still be the question of whether the public and the coffee ships do.) -- hendrik > > >(2) use ssh. > > > >I guess that would involve the ssh: URI's instead of mtn" URI's > > > >But this is a solution that works for me only. > > > >I'd like these some of these repositories to be readable > >by the public. Monotone itself has enough safeguards on a netsync > >connexion for this. But even if I use a separate account for montone > >repositories, someone that can use ssh to access monotone can also > >use ssh directly and attack the repositories (by tricks like rm). > > > >Or is some kind of limiter possible with ssh usage? > > On the one hand it is, on the other one needs to be quite careful > setting it up to not leave a hole. Maybe an account whose shell is usher? Or something that knows how to usher? -- hendrik
Re: netsync with port forwarding
>On Sun, Jun 06, 2021 at 10:51:21AM +0200, Michael Raskin wrote: >> >Or is here some other way of achieving the same result -- letting >> >netsync work when I'm not at home? >> >> As an «adapt to the modem» approach, I would consider forwarding SSH and >> either port forwarding netsync in SSH connection or directly using SSH >> repository address (which means netsync through standard input/output >> through SSH). > >Two approaches here. > >(1) persuade modem to do the right thing with port 4691. >I've already done that, but it didn't help. Presumably because port >forwarding is more complicated that just rewriting packets. It is also >necessary to do some kind of connexion tracking so that replies to >incoming conexions are properly treated. > >It's entirely possible that the incomming netsync connection is properly >routed to usher, but that ushers' reply is not getting out through the >modem. > >Netsync relies on some underlying conventions on the use of TCP for a >two-way connexion. Is there some other protocol that shares these >conventions? If so I could tell the modem that this other protocol is >now being used on port 4691. I would frankly start with tcpdump on both sides while trying to connect from outside. Routers can break so many things it is not even funny… >(2) use ssh. > >I guess that would involve the ssh: URI's instead of mtn" URI's > >But this is a solution that works for me only. > >I'd like these some of these repositories to be readable >by the public. Monotone itself has enough safeguards on a netsync >connexion for this. But even if I use a separate account for montone >repositories, someone that can use ssh to access monotone can also >use ssh directly and attack the repositories (by tricks like rm). > >Or is some kind of limiter possible with ssh usage? On the one hand it is, on the other one needs to be quite careful setting it up to not leave a hole.
Re: netsync with port forwarding
On Sun, Jun 06, 2021 at 10:51:21AM +0200, Michael Raskin wrote: > >Or is here some other way of achieving the same result -- letting > >netsync work when I'm not at home? > > As an «adapt to the modem» approach, I would consider forwarding SSH and > either port forwarding netsync in SSH connection or directly using SSH > repository address (which means netsync through standard input/output > through SSH). Two approaches here. (1) persuade modem to do the right thing with port 4691. I've already done that, but it didn't help. Presumably because port forwarding is more complicated that just rewriting packets. It is also necessary to do some kind of connexion tracking so that replies to incoming conexions are properly treated. It's entirely possible that the incomming netsync connection is properly routed to usher, but that ushers' reply is not getting out through the modem. Netsync relies on some underlying conventions on the use of TCP for a two-way connexion. Is there some other protocol that shares these conventions? If so I could tell the modem that this other protocol is now being used on port 4691. (2) use ssh. I guess that would involve the ssh: URI's instead of mtn" URI's But this is a solution that works for me only. I'd like these some of these repositories to be readable by the public. Monotone itself has enough safeguards on a netsync connexion for this. But even if I use a separate account for montone repositories, someone that can use ssh to access monotone can also use ssh directly and attack the repositories (by tricks like rm). Or is some kind of limiter possible with ssh usage? -- hendrik
netsync with port forwarding
>Or is here some other way of achieving the same result -- letting >netsync work when I'm not at home? As an «adapt to the modem» approach, I would consider forwarding SSH and either port forwarding netsync in SSH connection or directly using SSH repository address (which means netsync through standard input/output through SSH).
netsync with port forwarding
I've been using montone for years, and circumstances have forced me to move my server behind a Network Address Translation VDSL modem, setting up port forwarding to make it accessible to the world. I use usher. It's not working. I have a VDSL modem that is supposed to do network address translation and port forwarding. The VDSL modem is configured to map port 4691 of public IP number 69.165.134.134 to port 4691 of local IP number 192.168.1.19 Mind you, the configuration menu on that modem has a huge list of programs it might be called on to do NAT translation for (includeing things like HTML, SMTP, and a lot of games), but monotone's netsync is no on the list, so I had to specify the IP number explicitly. The port forwarding for http, smtp, and ssh work properly. (1) laptop at home, connected within LAN, so no port forwarding is needed. mtn sync mtn://192.168.1.19:4691/rackettown Works flawlessly. Also works without the ':4691' (or course) (2) laptop at home, connection to the public IP address of mmy LAN mtn mtn sync mtn://69.165.131.134:4691/rackettown fails: mtn: warning: no branch pattern found in URI, will try to use suitable database defaults if available mtn: connecting to 'mtn://69.165.131.134:4691/rackettown' mtn: include pattern 'com.pooq.hendrik.free.fun.rackettown*' mtn: exclude pattern '' mtn: network error: failed to connect: Connection refused It doesn't help to use 'topoi.pooq.com' instead of 69.165.131.134 (not that I expected it to). (3) laptop elsewhere (using a coffee shop's wifi, to be specific) Completely unable to make a connection. hendrik@midwinter:~/dv/fun/rackettown$ mtn sync enter passphrase for key ID [hend...@midwinter.topoi.pooq.com] (a2c97968...): mtn: connecting to 'mtn://topoi.pooq.com/rackettown' mtn: include pattern 'com.pooq.hendrik.free.fun.rackettown*' mtn: exclude pattern '' mtn: network error: failed to connect: Connection timed out hendrik@midwinter:~/dv/fun/rackettown$ Now ... is there something I should know about using port forwarding with the netsync protocol? Is there something the modem/router needs to know about it? Or is here some other way of achieving the same result -- letting netsync work when I'm not at home? -- hendrik