Hylafax Mailing List Archives
[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [hylafax-users] configuring router to support hylafax data connection. [give up]

This still looks like you are only doing tcpdump on port 4559. What about port 4558?

I think it is normal for the source port on the client to just use some (new, unused) high port number as the source port for each instance of sendfax, and connect to the destination port (listed as .hylafax below, probably because that port is listed in /etc/services). This is for the control connection, port 4559. If my understanding is correct, there should also be data connections (port 4558) happening too (or at least attempts) which may be being blocked by your firewall(s) somewhere along the way.

As for "why this has to be so complicated", it is not as simple to get FTP working through a firewall as it is for most other single-port services, so this complication is not specific to HylaFAX.

If you think you can stand the vulnerability for a few seconds, try disabling all firewalls between your client and server and retrying (or at least setting them all wide open for port 4558 and 4559). If that works, then turn them back on one at a time, retrying after each one, and you will see which one it is.

I think there can also be issues with whether the HylaFAX (or FTP) server can do a reverse DNS lookup on the client's IP address, though I don't recall exactly. You'll have to dig around a bit (google), and troubleshoot as to where in the chain is the broken link.

Cheers.

Martin


Eric Smith wrote on 12/04/04 01:41 PM:

(Thank Marthter)

It seems from tcpdump that its like chasing your shadow,
The port number appear totally arbitrary and increase with each
instance of sendfax.

extract:
19:28:42.720944 172.28.1.36.hylafax > a.62646: P 167:189(22) ack 67 win 5792 <nop,nop,timestamp 53547228 1958282> (DF) [tos 0x10]
19:28:42.745027 a.62646 > 172.28.1.36.hylafax: P 67:73(6) ack 189 win 5840 <nop,nop,timestamp 1958284 53547228> (DF) [tos 0x10]
19:28:42.775277 172.28.1.36.hylafax > a.62646: . ack 73 win 5792 <nop,nop,timestamp 53547234 1958284> (DF) [tos 0x10]
19:29:06.452720 172.28.1.36.hylafax > a.62585: P 1:58(57) ack 1 win 5792 <nop,nop,timestamp 53549602 1957688> (DF) [tos 0x10]
19:29:06.452932 172.28.1.36.hylafax > a.62585: F 58:58(0) ack 1 win 5792 <nop,nop,timestamp 53549602 1957688> (DF) [tos 0x10]
19:29:06.478270 a.62585 > 172.28.1.36.hylafax: R 964280316:964280316(0) win 0 (DF) [tos 0x10]
19:30:22.463720 a.62646 > 172.28.1.36.hylafax: F 73:73(0) ack 189 win 5840 <nop,nop,timestamp 1968256 53547234> (DF) [tos 0x10]
19:30:22.494225 172.28.1.36.hylafax > a.62646: . ack 74 win 5792 <nop,nop,timestamp 53557207 1968256> (DF) [tos 0x10]
19:30:23.306833 a.62663 > 172.28.1.36.hylafax: S 1243073762:1243073762(0) win 5840 <mss 1380,sackOK,timestamp 1968340 0,nop,wscale 0> (DF)
19:30:23.306852 172.28.1.36.hylafax > a.62663: S 3944313999:3944313999(0) ack 1243073763 win 5792 <mss 1460,sackOK,timestamp 53557288 1968340,nop,wscale 0> (DF)
19:30:23.331568 a.62663 > 172.28.1.36.hylafax: . ack 1 win 5840 <nop,nop,timestamp 1968342 53557288> (DF)
19:30:23.333359 172.28.1.36.hylafax > a.62663: P 1:56(55) ack 1 win 5792 <nop,nop,timestamp 53557290 1968342> (DF) [tos 0x10]
19:30:23.358427 a.62663 > 172.28.1.36.hylafax: . ack 56 win 5840 <nop,nop,timestamp 1968345 53557290> (DF) [tos 0x10]
19:30:23.361550 a.62663 > 172.28.1.36.hylafax: P 1:12(11) ack 56 win 5840 <nop,nop,timestamp 1968345 53557290> (DF) [tos 0x10]
19:30:23.361557 172.28.1.36.hylafax > a.62663: . ack 12 win 5792 <nop,nop,timestamp 53557293 1968345> (DF) [tos 0x10]

Dunno why things have to be so complicated.

Time to retire gracefully (for now) ...

Eric marthter said:


Hi Eric,

The HylaFAX protocol is mostly just the same as FTP. That (FTP) normally uses port 21 for control and port 20 for data. HylaFAX seems to do the same with 4559 and 4558. There is also the active versus passive FTP question, which, as I understand it, affects whether the client or the server starts up the second port communication, but does not change the fact that the second port is needed.

I don't recall the details, and I have since changed my setup so I can't check it, but I think the HylaFAX server connects back to the client with a _source_ port of 4558 (to a ?high? port on the client) when the data connection is needed.

I definitely remember having similar problems and changing the _client_ firewall to allow packets with a _source_ port of 4558 fixed it. (Actually disabling the entire client firewall fixed it too, but this port 4558 change was the minimal change that I could find that still fixed it :-)

(Note this is different from most firewall settings where you generally want to open up a _destination_ port, like destination port 80 needs to be open to serve http requests).

Your setup probably isn't the same as mine, so the exact same solution may not work, but, at any rate, you probably want to include port 4558 in your tcpdump as you try to get to the bottom of this.

Good luck.

Martin


Eric Smith wrote on 11/04/04 01:11 PM:



Hi I am trying to redirect all requests on port 4559 to the router on 62.166.236.150 to local machine 192.168.1.2

The latter is to support dialogue for hylafax.
hylafax 4559/tcp # HylaFAX client-server protocol (new)

I have ssh working with the entry for port 22 and web access with port 80, but my entry for port 4559 still results in
"Cannot build data connection" error with hylafax (running sendfax on the localmachine).

NetDSL>show port

Port Mapping

TCP 62.166.236.150 4559     192.168.1.2 4559 0
TCP 62.166.236.150 22     192.168.1.2 22 0
TCP 62.166.236.150 80     192.168.1.2 80 0

Any help appreciated (of course).

Thanks!


Eric Smith

FWIW: tcpdump activity on port 4559 follows:

15:36:12.435459 62.166.236.150.62547 > 172.28.1.36.hylafax: S 3141087652:3141087652(0) win 5840 <mss 1380,sackOK,timestamp 205344 0,nop,wscale 0> (DF)
15:36:12.435477 172.28.1.36.hylafax > 62.166.236.150.62547: S 951102318:951102318(0) ack 3141087653 win 5792 <mss 1460,sackOK,timestamp 43511088 205344,nop,wscale 0> (DF)
15:36:12.460068 62.166.236.150.62547 > 172.28.1.36.hylafax: . ack 1 win 5840 <nop,nop,timestamp 205346 43511088> (DF)
15:36:12.462445 172.28.1.36.hylafax > 62.166.236.150.62547: P 1:56(55) ack 1 win 5792 <nop,nop,timestamp 43511091 205346> (DF) [tos 0x10]
15:36:12.493548 62.166.236.150.62547 > 172.28.1.36.hylafax: . ack 56 win 5840 <nop,nop,timestamp 205349 43511091> (DF) [tos 0x10]
15:36:12.496672 62.166.236.150.62547 > 172.28.1.36.hylafax: P 1:12(11) ack 56 win 5840 <nop,nop,timestamp 205350 43511091> (DF) [tos 0x10]
15:36:12.496679 172.28.1.36.hylafax > 62.166.236.150.62547: . ack 12 win 5792 <nop,nop,timestamp 43511094 205350> (DF) [tos 0x10]
15:36:12.497090 172.28.1.36.hylafax > 62.166.236.150.62547: P 56:82(26) ack 12 win 5792 <nop,nop,timestamp 43511094 205350> (DF) [tos 0x10]
15:36:12.561257 62.166.236.150.62547 > 172.28.1.36.hylafax: P 12:25(13) ack 82 win 5840 <nop,nop,timestamp 205356 43511094> (DF) [tos 0x10]
15:36:12.561426 172.28.1.36.hylafax > 62.166.236.150.62547: P 82:113(31) ack 25 win 5792 <nop,nop,timestamp 43511101 205356> (DF) [tos 0x10]
15:36:12.617349 62.166.236.150.62547 > 172.28.1.36.hylafax: P 25:33(8) ack 113 win 5840 <nop,nop,timestamp 205362 43511101> (DF) [tos 0x10]
15:36:12.617500 172.28.1.36.hylafax > 62.166.236.150.62547: P 113:137(24) ack 33 win 5792 <nop,nop,timestamp 43511106 205362> (DF) [tos 0x10]
15:36:12.672440 62.166.236.150.62547 > 172.28.1.36.hylafax: P 33:58(25) ack 137 win 5840 <nop,nop,timestamp 205367 43511106> (DF) [tos 0x10]
15:36:12.672599 172.28.1.36.hylafax > 62.166.236.150.62547: P 137:167(30) ack 58 win 5792 <nop,nop,timestamp 43511112 205367> (DF) [tos 0x10]
15:36:12.723283 62.166.236.150.62547 > 172.28.1.36.hylafax: P 58:66(8) ack 167 win 5840 <nop,nop,timestamp 205373 43511112> (DF) [tos 0x10]
15:36:12.723432 172.28.1.36.hylafax > 62.166.236.150.62547: P 167:189(22) ack 66 win 5792 <nop,nop,timestamp 43511117 205373> (DF) [tos 0x10]
15:36:12.776377 62.166.236.150.62547 > 172.28.1.36.hylafax: P 66:72(6) ack 189 win 5840 <nop,nop,timestamp 205378 43511117> (DF) [tos 0x10]
15:36:12.809997 172.28.1.36.hylafax > 62.166.236.150.62547: . ack 72 win 5792 <nop,nop,timestamp 43511126 205378> (DF) [tos 0x10]

____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*





____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*






____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*

Home
Report any problems to webmaster@hylafax.org

HylaFAX is a trademark of Silicon Graphics Corporation.
Internet connectivity for hylafax.org is provided by:
VirtuALL Private Host Services