Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
Re: [hylafax-users] configuring router to support hylafax data connection
That's the first I've heard of that, so I couldn't say one way or the other.
It doesn't seem consistent with what I've observed (namely that opening
4558 and 4559 is sufficient). Though it could be true, if you are
talking about what high ports the client uses to connect to server's
4559, or what high ports the server uses to connect back to the client's
4558, I haven't paid attention to if those high ports cycle through some
set. Even this is only IF I'm right about what I think I've seen on
those 4558 and 4559 ports. So take this with a grain of salt.
Sometimes this is the problem with community based open source software
support, it is like the blind leading the blind. Though you save on
license fees, you might lose as much or more on head-scratching and
trial-and-error time.
Still trying to help, though, as I think I've seen a bit more than the
person who's asking.
Martin
Jeff Herring wrote on 12/04/04 03:37 PM:
Do I remember correctly that Hylafax rotates through 10 (?) ports?
-Jeff H.
At 02:27 PM 4/12/2004, marthter wrote:
This still looks like you are only doing tcpdump on port 4559. What
about port 4558?
I think it is normal for the source port on the client to just use
some (new, unused) high port number as the source port for each
instance of sendfax, and connect to the destination port (listed as
.hylafax below, probably because that port is listed in
/etc/services). This is for the control connection, port 4559. If
my understanding is correct, there should also be data connections
(port 4558) happening too (or at least attempts) which may be being
blocked by your firewall(s) somewhere along the way.
As for "why this has to be so complicated", it is not as simple to
get FTP working through a firewall as it is for most other
single-port services, so this complication is not specific to HylaFAX.
If you think you can stand the vulnerability for a few seconds, try
disabling all firewalls between your client and server and retrying
(or at least setting them all wide open for port 4558 and 4559). If
that works, then turn them back on one at a time, retrying after each
one, and you will see which one it is.
I think there can also be issues with whether the HylaFAX (or FTP)
server can do a reverse DNS lookup on the client's IP address, though
I don't recall exactly. You'll have to dig around a bit (google),
and troubleshoot as to where in the chain is the broken link.
Cheers.
Martin
Eric Smith wrote on 12/04/04 01:41 PM:
(Thank Marthter)
It seems from tcpdump that its like chasing your shadow,
The port number appear totally arbitrary and increase with each
instance of sendfax.
extract:
19:28:42.720944 172.28.1.36.hylafax > a.62646: P 167:189(22) ack 67
win 5792 <nop,nop,timestamp 53547228 1958282> (DF) [tos 0x10]
19:28:42.745027 a.62646 > 172.28.1.36.hylafax: P 67:73(6) ack 189
win 5840 <nop,nop,timestamp 1958284 53547228> (DF) [tos 0x10]
19:28:42.775277 172.28.1.36.hylafax > a.62646: . ack 73 win 5792
<nop,nop,timestamp 53547234 1958284> (DF) [tos 0x10]
19:29:06.452720 172.28.1.36.hylafax > a.62585: P 1:58(57) ack 1 win
5792 <nop,nop,timestamp 53549602 1957688> (DF) [tos 0x10]
19:29:06.452932 172.28.1.36.hylafax > a.62585: F 58:58(0) ack 1 win
5792 <nop,nop,timestamp 53549602 1957688> (DF) [tos 0x10]
19:29:06.478270 a.62585 > 172.28.1.36.hylafax: R
964280316:964280316(0) win 0 (DF) [tos 0x10]
19:30:22.463720 a.62646 > 172.28.1.36.hylafax: F 73:73(0) ack 189
win 5840 <nop,nop,timestamp 1968256 53547234> (DF) [tos 0x10]
19:30:22.494225 172.28.1.36.hylafax > a.62646: . ack 74 win 5792
<nop,nop,timestamp 53557207 1968256> (DF) [tos 0x10]
19:30:23.306833 a.62663 > 172.28.1.36.hylafax: S
1243073762:1243073762(0) win 5840 <mss 1380,sackOK,timestamp 1968340
0,nop,wscale 0> (DF)
19:30:23.306852 172.28.1.36.hylafax > a.62663: S
3944313999:3944313999(0) ack 1243073763 win 5792 <mss
1460,sackOK,timestamp 53557288 1968340,nop,wscale 0> (DF)
19:30:23.331568 a.62663 > 172.28.1.36.hylafax: . ack 1 win 5840
<nop,nop,timestamp 1968342 53557288> (DF)
19:30:23.333359 172.28.1.36.hylafax > a.62663: P 1:56(55) ack 1 win
5792 <nop,nop,timestamp 53557290 1968342> (DF) [tos 0x10]
19:30:23.358427 a.62663 > 172.28.1.36.hylafax: . ack 56 win 5840
<nop,nop,timestamp 1968345 53557290> (DF) [tos 0x10]
19:30:23.361550 a.62663 > 172.28.1.36.hylafax: P 1:12(11) ack 56 win
5840 <nop,nop,timestamp 1968345 53557290> (DF) [tos 0x10]
19:30:23.361557 172.28.1.36.hylafax > a.62663: . ack 12 win 5792
<nop,nop,timestamp 53557293 1968345> (DF) [tos 0x10]
Dunno why things have to be so complicated.
Time to retire gracefully (for now) ...
Eric marthter said:
Hi Eric,
The HylaFAX protocol is mostly just the same as FTP. That (FTP)
normally uses port 21 for control and port 20 for data. HylaFAX
seems to do the same with 4559 and 4558. There is also the active
versus passive FTP question, which, as I understand it, affects
whether the client or the server starts up the second port
communication, but does not change the fact that the second port is
needed.
I don't recall the details, and I have since changed my setup so I
can't check it, but I think the HylaFAX server connects back to the
client with a _source_ port of 4558 (to a ?high? port on the
client) when the data connection is needed.
I definitely remember having similar problems and changing the
_client_ firewall to allow packets with a _source_ port of 4558
fixed it.
(Actually disabling the entire client firewall fixed it too, but
this port 4558 change was the minimal change that I could find that
still fixed it :-)
(Note this is different from most firewall settings where you
generally want to open up a _destination_ port, like destination
port 80 needs to be open to serve http requests).
Your setup probably isn't the same as mine, so the exact same
solution may not work, but, at any rate, you probably want to
include port 4558 in your tcpdump as you try to get to the bottom
of this.
Good luck.
Martin
Eric Smith wrote on 11/04/04 01:11 PM:
Hi I am trying to redirect all requests on port 4559 to the router
on 62.166.236.150 to local machine 192.168.1.2
The latter is to support dialogue for hylafax.
hylafax 4559/tcp # HylaFAX
client-server protocol (new)
I have ssh working with the entry for port 22 and web access with
port 80, but my entry for port 4559 still results in
"Cannot build data connection" error with hylafax (running sendfax
on the localmachine).
NetDSL>show port
Port Mapping
TCP 62.166.236.150 4559 192.168.1.2 4559 0
TCP 62.166.236.150 22 192.168.1.2 22 0
TCP 62.166.236.150 80 192.168.1.2 80 0
Any help appreciated (of course).
Thanks!
Eric Smith
FWIW: tcpdump activity on port 4559 follows:
15:36:12.435459 62.166.236.150.62547 > 172.28.1.36.hylafax: S
3141087652:3141087652(0) win 5840 <mss 1380,sackOK,timestamp
205344 0,nop,wscale 0> (DF)
15:36:12.435477 172.28.1.36.hylafax > 62.166.236.150.62547: S
951102318:951102318(0) ack 3141087653 win 5792 <mss
1460,sackOK,timestamp 43511088 205344,nop,wscale 0> (DF)
15:36:12.460068 62.166.236.150.62547 > 172.28.1.36.hylafax: . ack
1 win 5840 <nop,nop,timestamp 205346 43511088> (DF)
15:36:12.462445 172.28.1.36.hylafax > 62.166.236.150.62547: P
1:56(55) ack 1 win 5792 <nop,nop,timestamp 43511091 205346> (DF)
[tos 0x10]
15:36:12.493548 62.166.236.150.62547 > 172.28.1.36.hylafax: . ack
56 win 5840 <nop,nop,timestamp 205349 43511091> (DF) [tos 0x10]
15:36:12.496672 62.166.236.150.62547 > 172.28.1.36.hylafax: P
1:12(11) ack 56 win 5840 <nop,nop,timestamp 205350 43511091> (DF)
[tos 0x10]
15:36:12.496679 172.28.1.36.hylafax > 62.166.236.150.62547: . ack
12 win 5792 <nop,nop,timestamp 43511094 205350> (DF) [tos 0x10]
15:36:12.497090 172.28.1.36.hylafax > 62.166.236.150.62547: P
56:82(26) ack 12 win 5792 <nop,nop,timestamp 43511094 205350> (DF)
[tos 0x10]
15:36:12.561257 62.166.236.150.62547 > 172.28.1.36.hylafax: P
12:25(13) ack 82 win 5840 <nop,nop,timestamp 205356 43511094> (DF)
[tos 0x10]
15:36:12.561426 172.28.1.36.hylafax > 62.166.236.150.62547: P
82:113(31) ack 25 win 5792 <nop,nop,timestamp 43511101 205356>
(DF) [tos 0x10]
15:36:12.617349 62.166.236.150.62547 > 172.28.1.36.hylafax: P
25:33(8) ack 113 win 5840 <nop,nop,timestamp 205362 43511101> (DF)
[tos 0x10]
15:36:12.617500 172.28.1.36.hylafax > 62.166.236.150.62547: P
113:137(24) ack 33 win 5792 <nop,nop,timestamp 43511106 205362>
(DF) [tos 0x10]
15:36:12.672440 62.166.236.150.62547 > 172.28.1.36.hylafax: P
33:58(25) ack 137 win 5840 <nop,nop,timestamp 205367 43511106>
(DF) [tos 0x10]
15:36:12.672599 172.28.1.36.hylafax > 62.166.236.150.62547: P
137:167(30) ack 58 win 5792 <nop,nop,timestamp 43511112 205367>
(DF) [tos 0x10]
15:36:12.723283 62.166.236.150.62547 > 172.28.1.36.hylafax: P
58:66(8) ack 167 win 5840 <nop,nop,timestamp 205373 43511112> (DF)
[tos 0x10]
15:36:12.723432 172.28.1.36.hylafax > 62.166.236.150.62547: P
167:189(22) ack 66 win 5792 <nop,nop,timestamp 43511117 205373>
(DF) [tos 0x10]
15:36:12.776377 62.166.236.150.62547 > 172.28.1.36.hylafax: P
66:72(6) ack 189 win 5840 <nop,nop,timestamp 205378 43511117> (DF)
[tos 0x10]
15:36:12.809997 172.28.1.36.hylafax > 62.166.236.150.62547: . ack
72 win 5792 <nop,nop,timestamp 43511126 205378> (DF) [tos 0x10]
____________________ HylaFAX(tm) Users Mailing List
_______________________
To subscribe/unsubscribe, click
http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx <
/dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*
____________________ HylaFAX(tm) Users Mailing List
_______________________
To subscribe/unsubscribe, click
http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx <
/dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*
____________________ HylaFAX(tm) Users Mailing List
_______________________
To subscribe/unsubscribe, click
http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx <
/dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*
--------------------------------------
Jeff Herring / jeffh@xxxxxxxxx
Seacoast Laboratory Data Systems, Inc.
____________________ HylaFAX(tm) Users Mailing List
_______________________
To subscribe/unsubscribe, click
http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx <
/dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*
____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*