[Babase] Re: Duke network shenanigans
Karl O. Pinc
kop at meme.com
Thu Oct 8 11:24:12 EDT 2009
On 10/08/2009 09:38:45 AM, Ryan Hardy wrote:
> There shouldn't be any firewall associated oddness, as there is none.
>
> However, the IDS/IPS may be to blame.
Right. This is what I meant. Firewall seems to have become
the generic term for anything that does anything more than
forward packets. Do you have a better suggestion? (While I
wait for your reply I'm going to go program a document on
my Word. ;-)
All I can tell you is that if I ssh to
papio after a certain time passes, possibly after a certain amount
of inactivity, the connection is closed. My end says:
Read from remote host papio.biology.duke.edu: Connection reset by peer
which points to a tcp rst packet. There's nothing in the logs
on papio to indicate anything in particular.
So it's likely the IDS.
I notice that if I tunnel ssh through an OpenVPN connection I don't
have a problem. Perhaps this is because OpenVPN re-keys every hour,
which either generates more traffic or something. On second thought
it's probably because OpenVPN is configured to use udp so there's
no connection to reset. (Take that, you annoying IDS. :)
> I see that the backup machine
> can't have a static IP address. I can potentially have the security
> office white-list all connections to papio on certain ports. What
> ports would be relevant for your issues? Just 22 and 1194? UDP/TCP,
>
> or just TCP?
It would be nice if my ssh sessions were not interrupted. This could
be done just for the IP I usually use (meme-net.meme.com 69.17.73.250)
or in general because the only people using ssh (mostly me) are
doing so from offices and such that are locked and secured when
nobody's around.
>
> Is the backup system actually having any issues, or is it just your
> client? You'd get a pretty clear message if you were getting banned
> (if you tried to go to something via HTTP).
The backup system won't be operating from a dynamic IP until late
next week, so we don't know. Since OpenVPN has no problem I
expect no problem with the backup system but wanted to get the ball
rolling earlier rather than later if it looked like there was
going to be a problem.
Yeah, I know about the http ban message. I've become a mite techey
about getting banned and would like to avoid doing so by accident
in the future. Who knows if continuous OpenVPN udp traffic
won't eventually get me banned? The http ban message does
not help much because I'm not usually using http.
In summary, it looks like everything will work with the backup
system, and I've got work-arounds in place for the ssh sessions.
I'm just tired of having to work-around. It's not just a
waste of time, it's a distraction.
If I really cared
I'd ask for another open port (I believe we had to ask for 1194
to do OpenVPN) just so I could run a second OpenVPN tunnel that's
not encrypted so my ssh sessions, and the backup which uses
ssh for transport, does not double-encrypt. There's not
much point. I'm not hitting a resource limit. (Yet.) It's just
wasted electrons.
/rant
>
> -Ryan
>
> On Oct 7, 2009, at 10:42 PM, Karl O. Pinc wrote:
>
> > Papio has gotten very rude of late; my ssh sessions are
> > regularly disconnected which trashes my perpetual
> > emacs sessions. I suspect the Duke firewall.
> >
> > I will try the stupid kludge of connecting through
> > an OpenVPN session. If that does not work I will
> > ask you to ask Duke what port(s) can be used to avoid
> > this behavior and ask that those be opened to papio
> > so we can avoid this.
>
>
>
Karl <kop at meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
More information about the Babase
mailing list