# emerge --rsync port used?

## lostinlinux

What port is used for this?  I want to enable port fwding on my router so I can use this....right now I have to use emerge-webrsync.  Right now I am getting this error when I try to emerge --sync

```

>>> Starting rsync with rsync://64.127.121.98/gentoo-portage...

>>> Checking server timestamp ...

timed out

rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(276) [receiver=2.6.9]

>>> Retrying...

```

----------

## alex.blackbit

```
$ grep ^rsync /etc/services
```

----------

## lostinlinux

hmmm....I have both of those fwding to my current IP and still no dice, is there a chance that error means something else?

----------

## alex.blackbit

i don't think that it is even necessary that you forward this port. you make a connection from your workstation to the outside world, not the other way around.

maybe you don't allow outgoing connections with that destination port?

----------

## lostinlinux

it was actually a combo of both, my router was dropping incoming and outgoing requests, thanks for the tip!

----------

## jcat

 *lostinlinux wrote:*   

> it was actually a combo of both, my router was dropping incoming and outgoing requests, thanks for the tip!

 

It certainly should not be a combination of both, if your router is configured to in NAT mode (as most are these days).

If it's a NATed config, you need to remove your incoming port forwards for rsync and just allow rsync outgoing.  Most firewalls default config is to allow allow packets with state ESTABLISHED and RELATED back in to the network.

So you initiate the rsync connection from within your private network and the reply packets from the rsync server are allowed back in because they are using an ESTABLISHED or RELATED connection.

Allowing unnecessary port to be forwarded to internal hosts is a security risk, if you don't need them (as I believe could well be the case here) then disable them.

Did you have to set-up incoming port forwarding for http access?  I'm guessing not...   :Wink:  (although I may be wrong!)

Cheers,

jcat

----------

## lostinlinux

I did not, I will give just setting the other up when I sit down in front of the box again and let you know how it turns out

----------

## lostinlinux

so actually my router is not setup as you say....I don't have a section that says anything about natting...here is my current configs (which do specify something for http)

```
title       [ Custom to Allow RSYNC High IN rules ]

begin

RulesDropFrom192

drop from addr %LANADDR%:%LANMASK% >> done, alert 0 [WAN Traffic from LAN IP]

RulesDropTTL

drop match 3 8 { 01:FE } >> done, alert 4 [TTL of 0 or 1]

RulesDropAddress

drop from addr 0.0.0.0 >> done, alert 4 [ 0.0.0.0 Source IP Address]

RulesDrop

drop all

RulesPass

pass from port 51413

pass to port 51413

pass from port 5190

pass from port 5190

pass from port 873

pass to port 873

pass from port 80

pass to port 80

pass from port 20

pass to port 20

pass from port 21

pass from port 110

pass from port 119

pass from port 143

pass from port 220

pass from port 25

pass from port 443

pass from port 500

pass protocol 50

RulesDropWANUDP

drop protocol udp, to addr %WANADDR%:32 >> done, alert 4 [UDP WAN Traffic to WAN IP]

RulesDropWANTCP

drop protocol tcp, to addr %WANADDR%:32 >> done, alert 4 [TCP WAN Traffic to WAN IP]

RulesDropWANIP

drop to addr %WANADDR%:32 >> done, alert 4 [IP WAN Traffic to WAN IP]

end

```

```

title       [ Custom to Allow RSYNC High OUT rules ]

begin

# Protocol Match conditions

RulesPass

pass to port 51413 >> done

pass from port 51413 >> done

pass to port 5190 >> done

pass from port 5190 >> done

pass to port 80 >> done

pass from port 80 >> done

pass to port 873 >> done

pass from port 873 >> done

pass protocol udp, to port 53 >> state, done

pass to port 20 >> done

pass from port 20 >> done

pass to port 21 >> done

pass to port 110 >> done

pass to port 119 >> done

pass to port 143 >> done

pass to port 220 >> done

pass to port 25 >> done

pass to port 443 >> done

pass to port 500 >> done

pass protocol 50 >> done

pass protocol tcp, from addr %LANADDR% >> state, done

# Failed to match

RulesDrop

drop all >> done, alert 4 [Unsupported High Application]

end
```

I am not too familiar with the syntax above but if anyone can shed some light on how to do this nating i'd be up for trying it.  FYI this is a Westell D90-327W15-06

EDIT***

a little googling provided me what you were referring to, I now use the following rules which work well.  

```

title       [ Security Level Custom (Medium) IN rules ]

begin

RulesDropTTL

drop match 3 8 { 00:FF } >> done, alert 4 [TTL of 0]

drop match 3 8 { 01:FF } >> done, alert 4 [TTL of 1]

RulesDropAddress

drop from addr 0.0.0.0 >> done, alert 4 [0.0.0.0 Source IP Address]

# Pass and Log Specific Unsolicited ICMP

RulesPassICMP

#pass icmp-type reply >> done, alert 0 [ICMP Message To WAN IP - Echo Reply - Passed] # Type: 0 (allow ping reply)

pass icmp-type exceeded >> done, alert 1 [ICMP Message To WAN IP - TTL Exceeded - Passed] # Type: 11 (allow tracert reply)

#pass icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Passed] # Type: 3 (allow unreachable reply)

# Drop and Log all Unsolicited ICMP

RulesDropICMP

#drop protocol icmp >> alert 4 [ICMP Message To WAN IP]

drop icmp-type reply >> done, alert 3 [ICMP Message To WAN IP - Echo Reply - Dropped] # Type: 0 (block ping reply)

drop icmp-type exceeded >> done, alert 3 [ICMP Message To WAN IP - TTL Exceeded - Dropped] # Type: 11 (block tracert reply)

drop icmp-type unreachable >> done, alert 2 [ICMP Message To WAN IP - Dst Unreachable - Dropped] # Type: 3 (block unreachable reply)

drop icmp-type request >> done, alert 2 [ICMP Message To WAN IP - Echo Request - Dropped] # Type: 8 (block ping requests)

drop protocol icmp >> done, alert 3 [ICMP Message To WAN IP - Dropped] # Type: (block all others)

# Drop All Unsolicited Inbound

RulesDrop

drop all >> alert 3 [Drop All Unsolicited Inbound]

end

```

```

title       [ Custom to Allow RSYNC High OUT rules ]

begin

# Protocol Match conditions

RulesPass

pass to port 51413 >> state, done

pass from port 51413 >> state, done

pass to port 5190 >> state, done

pass from port 5190 >> state, done

pass to port 80 >> state, done

pass from port 80 >> state, done

pass to port 873 >> state, done

pass from port 873 >> state, done

pass protocol udp, to port 53 >> state, done

#pass to port 20 >> state, done

#pass from port 20 >> state, done

pass to port 123 >> state, done

pass from port 123 >> state, done

#pass to port 21 >> state, done

pass to port 110 >> state, done

pass to port 119 >> state, done

pass to port 143 >> state, done

pass to port 220 >> state, done

pass to port 25 >> state, done

pass to port 443 >> state, done

pass to port 500 >> state, done

pass protocol 50 >> state, done

pass protocol tcp, from addr %LANADDR% >> state, done

pass protocol tcp, to port 20 >> state, done # Active Mode FTP Data Channel Port

pass protocol tcp, from port 20 >> state, done # Active Mode FTP Data Channel Port

pass protocol tcp, to port 21 >> state, done # Active & Passive Mode FTP Control Channel Port

pass to port >= 1024, to port <= 5000 >> state, done # WE/IE Passive FTP Ports

#Uncheck "Use Passive FTP" in IE Advanced Options and enable the FTP firewall service or enable above statement

# Failed to match

RulesDrop

drop all >> done, alert 4 [Unsupported High Application]

end

```

now if I understand this correctly it passes only connections I have initiated.  Anyone with a westell 327w or similiar or knows this syntax I'd love to have comments (this post was helpful http://www.dslreports.com/forum/remark,16694222.  Only stickign point is PASV FTP doesn't seem to work.  Anyone have any clue about that one?

----------

## jcat

I'm not familiar with your particular device, just the general networking principles involved, as long as you don't allow anyone to initiate sessions from the outside (unless it's really needed, like you're running a publicly available server) then you're fairly safe.

You can always try and port scan the Public IP of you router, see if anything is open or not (this usually has to be done from an external host somewhere).

FYI  FTP can be a real pain in the arse on some devices!

Cheers,

jcat

----------

