Logging / tracing of port-forwarded traffic?

Support section for FREESCO v0.4.x

Logging / tracing of port-forwarded traffic?

Postby Island » Tue Jul 12, 2011 9:35 am

FREESCO (v0.4.2) has been happily forwarding inbound traffic on certain ports for a while now; it seems to be working fine. I've added another port to be forwarded, to a different machine on the LAN behind FREESCO, but the application is failing to connect and login at the destination machine. I have no reason to think FREESCO will not be forwarding the traffic - it's working fine on the other ports - but despite having cleared all firewall settings on the destination, the application still fails to connect.

I'd like to use FREESCO to help me debug my problem. How can I double-check that the inbound traffic is arriving at FREESCO from the internet, and can I check what FREESCO is forwarding, and to where? Are there some logging settings I could use to do this?

regards,
Island
User avatar
Island
Junior Advanced Member
 
Posts: 117
Joined: Sat Jan 22, 2005 12:48 pm

Re: Logging / tracing of port-forwarded traffic?

Postby Lightning » Tue Jul 12, 2011 2:22 pm

The easiest way to see if inbound traffic is reaching a specific port on FREESCO is to run a service on that port like the web server in 'y' mode and make sure that the port forwarding is stopped for that port. Then check from outside your LAN and make sure that you have access to the web server. That eliminates any possible problems from traffic being blocked elsewhere. There are other ways to check if a port is being blocked, but that is the easiest.

If the above test is successful then add the port forwarding back for that port and leave the web server running on that port as well. You should then stop having access to the web server if the port forwarding is working and active.

If you want to log a specific port it can be done, but you will need to add an ipfwadm rule to log that port. The rule is dependent on exactly what you want to look for.

Inbound on the external interface
ipfwadm -I -i accept -D IPaddress PORT -o
PORT = the port number you want to monitor
IPaddress = the IP address of the external interface

Outbound traffic to the machine you are forwarding to.
ipfwadm -O -i accept -D IPaddress PORT -o
PORT = the destination port of the forwarded machine
IPaddress = the internal IP of the forwarded machine.
The logging should then show up on screen 3 and in the var/messages file.

In most cases the reason that forwarding does not work is from one of the below reasons.

Using the same external port on FREESCO with two different forwards.
ISP is blocking a specific service port.
The service being forwarded requires more than one port and those extra ports have not been forwarded.
The internal machine is refusing a connection. Make sure it is accessible from inside the LAN.
The entry for the forward is grammatically incorrect.
The internal machine is miss configured on the network and or FREESCO is not the default gateway for that machine.
Port forwarding is disabled in the main configuration.

If none of the above is successful, then you need to provide a lot more information. Your actual configuration files along with a report.txt and what the internal machine is along with what is the server it is running.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Logging / tracing of port-forwarded traffic?

Postby Island » Sat Aug 20, 2011 2:55 pm

Prescient.

Lightning wrote:
In most cases the reason that forwarding does not work is from one of the below reasons.

....
The internal machine is miss configured on the network and or FREESCO is not the default gateway for that machine.
....



FREESCO is not the default gateway for that machine.

Incidentally, the application is SMTP. The server I am trying to reach is running secure-SMTP, and the device I am using to try to reach it is an ordinary consumer mobile phone with an SMTP-capable email client. The 3G telco NATs the mobile phone. The secure-SMTP server works fine with clients and devices on the local network.

I hadn't understood port forwarding correctly. Incorrectly, I had thought that port forwarding meant BOTH that
(a) the inbound packets were forwarded to the server, ie the destination IP address was changed, and
(b) the source IP address on the packet was changed to be the IP address of FREESCO router (so that the server would transact/reply with FREESCO which would 'return/forward' the reply packets to the external source IP).
I see now that (b) is wrong, port forwarding doesn't do that. Instead, the server transacts/replies directly to the source IP and - naturally - relies on the default gateway to do that which could ONLY work if the device at the source is using a routable address. (In this case, the device is an ordinary consumer mobile phone, which is NATted by the mobile telco, and therefore never sees the server's replies because these are from a different IP address and so the telco NAT router drops the inbound packets.)

So, thanks for the hint about the gateway; I now understand what's going wrong, and why. And I don't need to trace the port forwarding, anyway.

I think I've two options, only?
(i) Make FREESCO the default gateway for that server - and I cannot do that because the SMTP outbound route has to be via a specific, different, ISP, or
(ii) trick the server into replying to FREESCO and have FREESCO reply to the mobile phone.

I'm going to do a bit more thinking. Meanwhile, thank you for your painstaking list of port-forward 'issues'; they're really useful, and probably not just for me.

Finally, Lewis, I'd like to apologise for taking so long to reply; I've been working overseas at very short notice, and only now finished those projects and so do have some time to spend with this.

regards, Island
User avatar
Island
Junior Advanced Member
 
Posts: 117
Joined: Sat Jan 22, 2005 12:48 pm

Re: Logging / tracing of port-forwarded traffic?

Postby Lightning » Sat Aug 20, 2011 9:23 pm

There is possibly a round about way of solving your problem getting to the internal server. You could install teapop and fetchmail on the router and get your mail directly from the router for the mobile device.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Logging / tracing of port-forwarded traffic?

Postby Lightning » Sat Aug 20, 2011 11:22 pm

There is another way to do what you are asking, I am not sure how your mobil device would connect. But it is possible to add PoPTop to FREESCO and you could use a VPN connection to the router. In this scenario your mobile device would look as though it was on the local network and could connect directly with the server. This is all assuming your mobile device can make VPN connections. An alternative to VPN would also be an SSH tunnel which would work virtually the same.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Logging / tracing of port-forwarded traffic?

Postby Island » Mon Aug 22, 2011 1:04 pm

Lightning wrote:There is another way to do what you are asking, I am not sure how your mobil device would connect. But it is possible to add PoPTop to FREESCO and you could use a VPN connection to the router. In this scenario your mobile device would look as though it was on the local network and could connect directly with the server. This is all assuming your mobile device can make VPN connections.


Without doubt this is the 'classical' solution for secure offsite access for email, files, etc, but (sadly) the mobile phone is a simple consumer model; it has a browser and email client, and that's about it. More expensive models, such as 'Smartphone' (Android, mostly), perhaps could do this (though they may have to be jail-broken, I'm not sure), and Windows or Linux Laptops or Tablets/Pads could do this anyway. But fairly simple phones, generally, do not seem to have a rich enough OS.

Lightning wrote:An alternative to VPN would also be an SSH tunnel which would work virtually the same.


I was thinking about SSH, too, but in a different way.

The mobile phone can reach our IMAP server (for email reception/reading, and using TLS/SSL to do this) because the IMAP server does use the FREESCO box as its gateway. (Unlike the problem with the SMTP server I need to use, as mentioned in an earlier post.) I thought I could use an SSH tunnel from the IMAP server box to the SMTP server; this might enable the SMTP server to 'think' it was transacting on its local network, and so not route its replies through its gateway. I've tried it and it works. Both those servers run OpenSSH. Because I find the OpenSSH commandline so complicated, I actually set the tunnel backwards (OpenSSH allows this, calling it a 'reverse' tunnel) from the SMTP server box to the IMAP server box.

Here's the OpenSSH command I used, on the SMTP server box:

ssh -R 9123:localhost:9123 island@192.168.imap.box

Incidentally, for the benefit of anyone else reading this, and interested, I had also to set the OpenSSH sshd-config to include:
GatewayPorts yes
because, by default, OpenSSH disables this external, 'port to port', type of tunneling.

If the SSH server on FREESCO also supports tunneling, then I could instead set the tunnel direct to the SMTP server from FREESCO. I haven't tried it, because I have one worry (and one query) about doing so:

(a) The tunnel would require the external port - 9123, in this example - to be open and operating with the SSH server within the FREESCO box (unlike normal 'port forwarding' which simply passes the packets onwards). Would this external access to the SSH server be a security risk? Or would the 'control' element of the SSH server still remain only accessible from within the local network?
(b) As I recall, FREESCO does not use OpenSSH, but which server does it use? I thought to next check the documentation to see what commands and configurations could be used.

Nevertheless, the mobile phone does now reach the SMTP server despite that server running on a box for which FREESCO is not its default gateway, so I'm making some progress. But I'd like to avoid the extra 'hop' of having to go through another server and, instead, tunnel directly from FREESCO to the SMTP server box, if I could.

Thanks for all the ideas and guidance,

regards, Island
User avatar
Island
Junior Advanced Member
 
Posts: 117
Joined: Sat Jan 22, 2005 12:48 pm

Re: Logging / tracing of port-forwarded traffic?

Postby Lightning » Mon Aug 22, 2011 8:56 pm

(a) The tunnel would require the external port - 9123, in this example - to be open and operating with the SSH server within the FREESCO box (unlike normal 'port forwarding' which simply passes the packets onwards). Would this external access to the SSH server be a security risk? Or would the 'control' element of the SSH server still remain only accessible from within the local network?
Any open port is always a security risk, but specifically just having access to a single port no matter what is always much more secure than having access to the entire machine.
(b) As I recall, FREESCO does not use OpenSSH, but which server does it use? I thought to next check the documentation to see what commands and configurations could be used.
FREESCO uses Dropbear as an SSH server and client. The version is 0.44 with a lot of modifications for FREESCO including quite a few security fixes that are in newer versions of Dropbear. As for how to forward a port through it, I think that the SSH client is mostly compliant with the OpenSSH commands, but here is the FREESCO SSH help list.
Usage: ssh [options] [user@]host
Options are:
-p <remoteport>
-y accept remote host keys, if unknown
-t Allocate a pty
-T Don't allocate a pty
-i <identityfile> (multiple allowed)
-L <listenport:remotehost:reportport> Local port forwarding
-R <listenport:remotehost:remoteport> Remote port forwarding
-l <username>

On a secondary note, if you can't get it to work as you want with Dropbear. OpenSSH is an add on package for the 04x series. Although it has not really been needed very often unless there were advanced features needed or just for compatibility issues.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12080
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Logging / tracing of port-forwarded traffic?

Postby Island » Mon Aug 29, 2011 9:42 am

Lightning wrote:Any open port is always a security risk, but specifically just having access to a single port no matter what is always much more secure than having access to the entire machine.


Lewis, just to give a final update, in the end I have not implemented a tunnel from FREESCO to the SMTP machine because I really didn't want to open another port, especially not one that was going to be managed by SSH on FREESCO. In my application, I can get away with this by using the temporary work-around I mentioned earlier (an SSH tunnel from our IMAP server to our SMTP server) because, for email use while offsite, we have to use the IMAP server for 'incoming' mail delivery to the mobile phone and so it is always operating and may just as well provide the tunnel anyway.

I've other problems now, anyway, nothing to do with FREESCO (unfortunately, because the support here is really pretty good!). Testing secure SMTP (using TLS) has just put us into certificate-hell (we're trying to use self-signed certificates); this will take a while to sort.

Thanks, again, for the help; and for the uncanny insight in your first reponse, about the importance of the 'default gateway' pointing back to FREESCO. That's an important factor for anyone running multiple gateways and hoping to make port-forwarded services work correctly. Actually, if it really would be secure enough, an SSH tunnel from FREESCO to the 'non-gatewayed machine' could be a decent work-around for those situations.

regards, Island
User avatar
Island
Junior Advanced Member
 
Posts: 117
Joined: Sat Jan 22, 2005 12:48 pm


Return to FREESCO Support for v0.4.x

Who is online

Users browsing this forum: No registered users and 4 guests

cron