rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kaede

Pages: 1
1
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 09, 2007, 05:15:10 AM »
Thx ~GeeS~!!!

Well, routers have firewall but you cant control the actual "application" that is using that port, therefore combining with a software firewall you have absolutely full control of the application that you are running. Its just a matter of how secure you want it to be.

If u did not open port 80 in the router, the bypass trick wont work. As you can see in the Router firewall rule I wrote, only Stunnels 443 is open. Beside, the Port 80 its just an example. Of course, any port superior of 1024 is better. For example 44300  ;)

The forwarding localhost:443 to localhost:80, well its not a "forwarding" rule, its actually a software firewall rule and its applied only to stunnel.exe meaning that for the stunnel.exe (the application) the only ports that it can access are (443 and 80). The port 80 in this case is used by HFS.

Actually you can use mostly any port to do anything, for example: before this I was using port 80 for uTorrent and worked just fine, it just a matter of how you configure it.

To be sure about the bypass Ive just recheck the configuration. The following test is to see if using the rule I set for router and firewall can be bypassed form outside (internet) if the HFS is set to port 80. Entering in the address bar your public address follow by :80/

settings of HFS to leave it wide open:
Port 80
delete \127.0.0.1 in the Ban list.
Menu --> Accept connections on --> Any address.
This way HFS can connect to any address and its listening at port 80.

How did I check:

First: if you connect using your public ip (the one assigned by your ISP) and adding ":80/" at the end it will probably link to your router administration page.  See this post: http://www.rejetto.com/forum/index.php?topic=3083.msg1015853#msg1015853 from blueeagle69. All he could see is his router, he is trying to connect to his HFS thru local network using a public IP.

Second: if you connect to the PC that is hosting HFS using the private ip within the local network of course, you will get access. But that is local network (inside your home or office network) and is not form outside (internet).

So there are 2 ways to test it:
1) Connect from somewhere else.
2) you can use a anonymously surf page or a proxy like this one: http://www.htmlblock.co.uk/anon.php

To start, connect to your HFS like usual for example: https://myhomeserver.com/ You can see in the Stunnel's log that the incoming connection ip address is different than your public ip. like this one: 213.171.218.198 that is the ip of www.htmlblock.co.uk
Once you make sure that you are accessing your HFS form outside. Connect using http://yourpublicip:80/ and see what happens. If everything is secure you should get a "Error: Could Not Connect to Server" message. If you can connect to your HFS either you are connecting from your local network or your router has the HFS port open.

After all the propose of using STUNNEL is to secure our HFS some people like 80 some like 44300 and some like 666 :D (Im using this one now) is entirely up to the user. But like I said, if you are behind a router and have a software firewall and you want STUNNEL then those are the rules to open ports. And of course configuration of software firewall and routers may differ one from each other but the logic are always the same.

One last thing (its getting too long now) using dyndns webhop to redirect your address so you dont have to write the "https" anymore is really good trick.

regards!

2
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 08, 2007, 04:50:01 AM »
This is a little complement of the tutorial written by ~Gees~
http://www.rejetto.com/forum/index.php?topic=3083.msg1022798#msg1022798

If you encounter this kind of error:
Code: [Select]
2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
2007.06.05 03:22:22 LOG5[2884:3056]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socketAnd you are using a Router and a Software firewall, this could be the solution:

Complete Firewall Rule for HFS and Stunnel:
Data:
--The Server hosting HFS and Stunnel from now on we call it 192.168.1.100
--Im using port 80 for HFS, if you are using other port feel free to change the rule 2a) and 2b) where port 80 you should change it to the port of your choice.

1) Router
firewall: Always Allow -- TCP -- port:443 -- source ip:Any -- Destination ip: 192.168.1.100
forwarding: Always allow -- port:443 -- forward to -- 192.168.1.100

2)Software Firewall Rules
a) name: Stunnel -- Always Allow -- TCP -- IN/OUT -- Local port:443; 80 -- Remote Address:Any -- RemotePort:Any -- App:Stunnel.exe
b) name: HFS -- Always Allow -- TCP -- IN/OUT -- Local port:80 -- Remote Address:Any -- Remote Port:Any -- App:HSF.exe

In case you are still getting "connection refused" try changing 2a) Local port:Any
regards

3
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 08, 2007, 04:14:52 AM »
Allright Guys!!! Its working now!!!!  :D :D :D and Ive found the problem.
Just as Mav and Gees pointed out it was the software firewall that was blocking the connection between the softwares..., but strangely it does not show the blocked packs log. Maybe its a bug in the firewall software coz after I restarted the firewall manually it started to show the blockall's log and guess what: Stunnel is in it  :o

OK so what went wrong:
simple, the b1> firewall rule just wasnt enough, it just point to port 443 only!!! and STUNNEL does need another port to comunicate to HFS like this one:

NEW STUNNEL RULE:
TCP --> remote: localhost:xxxx --> local: localhost [127.0.0.1:80] --> application Stunnel.exe
Viola!!! CONNECTION ESTABLISHED

So, resuming all, I only have to make a minor adjustment to rule c1>, instead of port 443 I will include a list of ports which obviously includes the port used by HFS.
So I would kindly suggest that the tutorial includes necesary software firewalls rule. It does say that the firewall need to be opened at port 443, assuming for stunnel, but doest not say anything else. It is good to add:
"open port 443 and the port asigned for HFS to stunnel application in your software firewall" I think it will save us a lot of pain.

Finally, I would like to add the following things:
stunnel.conf:
[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:80
TIMEOUTclose = 0
Those inputs are completely valid, and you DO NOT I repeat DO NOT need to forward or open port for HFS in your ROUTER

Thx VERY MUCH guys for the help!!

4
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 07, 2007, 05:15:26 AM »
Hello mav:
ok, here is the complete setting:
HFS Server = 192.168.1.92 static ip

a> Router Setting:
a1> Firewall: Allow always --> TCP --> port:443 --> source ip:Any --> Destination ip:192.168.1.92
a2>Forwarding: name: HTTPS --> port:433 --> 192.168.1.92

b>Software firewall setting:
b1> STunnel --> Allow Always --> Protocol: TCP and UDP (just to make sure all pass thru) --> Direction: Both (just to make sure all pass thru) --> local port:443 --> Remote port and Address: Any --> application: Stunnel.exe [set to log].
b2> HFS --> Allow Always --> Protocol: TCP --> Direction: Both --> localport: 80 --> Remote port and Address: Any --> Application:hfs.exe [set to log].
b3> Blockall: Deny Always --> Protocol:all  --> localport:any --> remote address and port:any  --> application:all [set to log].

**The firewall rules are set in that order so the Blockall can show me if any attempt was denied so I can make further adjustments.

c>Stunnel.conf
c1> I started with this one:
[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0
The accept is set to all IP on port:443
And only connect to 127.0.0.1 port: 44300 (of course, that is the port I use in HFS)
c2> Later I tried Mavericks setting:
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
the only difference is that it can be connected by all address to port 80 and of course I changed the HFS to 80

d> HFS
First I deleted the Bans list, so no more \127.0.0.1 or \192.168.1.*
d1> used port 44300 together with c1> and b2> localport:44300 setting
d2> I used port 80 together with c2> and b2> localport:80 setting

I think thats all... It should works I still get this error 10061 connection refused  :-[

5
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 06, 2007, 11:40:16 PM »
First, I DID NOT used Quotes "" thats a noob mistake, I though It wasnt necessary so I did not mention that earlier. Second: google The WSACONNREFUSED wow!! Jimbo, I wont ask something that is in google search already. Here is one for you "STFW" if you dont know what it means use google. Thx for the effort thou.

Just return from my friends home and tried using his PC to connect mine. I recieved the same error 10061, although the Stunnel pickup the attempt so did my firewall. So I think that the router is not the issue here... it must be something between HSF and Stunnel that can not communicate.

More details: The address I input in the Browser is "http://httpS://xxx.xxx.xxx.xxx/" (without the quotes) and I also tried it with my home dns using dyndns "https://mydns/" and also I tried "http://xxx.xxx.xxx.xxx:443/" and "http://mydns:443/ all attemps were pickedup by Stunnel and shows me the "Certificate Acceptance option" but after that I got these errors:
IE7: "Navigation to the webpage was canceled"
Firefox: "The connection was reset... The connection to the server was reset while the page was loading..."

Anyone has other suggestion? Im kinda stuck..


6
HFS ~ HTTP File Server / Re: Trouble connecting HFS thru Stunnel
« on: June 06, 2007, 04:08:10 AM »
Thx Todd, I tried "\127.0.0.1;192.168.1.*" and "\127.0.0.1;192.168.* same error here... >:(
Maybe its the router (linksys rv082), although its no likely since I can pickup the attempt on Stunnels log, but just to be sure I try it again tomorrow accessing form a friends PC. (I was thinking to install a VNC to his computer since having 2 ips sometimes really comming handy  ;D)

Does anyone know what <WSACONNREFUSED> mean?

7
HFS ~ HTTP File Server / Trouble connecting HFS thru Stunnel
« on: June 05, 2007, 07:00:17 AM »
Hello everyone! got a problem connecting Stunnel to HFS. First, I followed step by step the tutorial:
http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server
but still got some unexpected errors... hope u guys can help me.... I searched the forum and there is a post about my problem or at least I think is the same problem but its in russian....  :-[ and the stunnel faqs site doesnt say much either.

well here is the error:
Code: [Select]
Creating a new thread
2007.06.05 03:22:22 LOG7[2884:424]: New thread created
2007.06.05 03:22:22 LOG7[2884:3056]: https started
2007.06.05 03:22:22 LOG7[2884:3056]: FD 248 in non-blocking mode
2007.06.05 03:22:22 LOG7[2884:3056]: TCP_NODELAY option set on local socket
2007.06.05 03:22:22 LOG5[2884:3056]: https accepted connection from 192.168.1.1:2512
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): before/accept initialization
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read client hello A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write server hello A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write certificate A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write server done A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 flush data
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read client key exchange A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 read finished A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write change cipher spec A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 write finished A
2007.06.05 03:22:22 LOG7[2884:3056]: SSL state (accept): SSLv3 flush data
2007.06.05 03:22:22 LOG7[2884:3056]:    1 items in the session cache
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client connects (SSL_connect())
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client connects that finished
2007.06.05 03:22:22 LOG7[2884:3056]:    0 client renegotiations requested
2007.06.05 03:22:22 LOG7[2884:3056]:    1 server connects (SSL_accept())
2007.06.05 03:22:22 LOG7[2884:3056]:    1 server connects that finished
2007.06.05 03:22:22 LOG7[2884:3056]:    0 server renegotiations requested
2007.06.05 03:22:22 LOG7[2884:3056]:    0 session cache hits
2007.06.05 03:22:22 LOG7[2884:3056]:    1 session cache misses
2007.06.05 03:22:22 LOG7[2884:3056]:    0 session cache timeouts
2007.06.05 03:22:22 LOG6[2884:3056]: SSL accepted: new session negotiated
2007.06.05 03:22:22 LOG6[2884:3056]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2007.06.05 03:22:22 LOG7[2884:3056]: FD 280 in non-blocking mode
2007.06.05 03:22:22 LOG7[2884:3056]: https connecting 192.168.1.92:44300
2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
2007.06.05 03:22:22 LOG5[2884:3056]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.06.05 03:22:22 LOG7[2884:3056]: https finished (0 left)
I think this is the problem:
Code: [Select]
2007.06.05 03:22:22 LOG7[2884:3056]: https connecting 192.168.1.92:44300
2007.06.05 03:22:22 LOG3[2884:3056]: remote connect (192.168.1.92:44300): Connection refused (WSAECONNREFUSED) (10061)
At first I tried 127.0.0.1:44300 the same used in the tutorial.... same error in stunnel
Then I switch to 192.168.1.92:44300 which is my static local address... and deleted the Bans---"/127.0.0.1" the result is the same above.

I can connect to stunnel thru out side the router, so trouble with forwarding and firewall inside the router can be rule out.
Beside that Im running a software firewall too, these are the rules:
Stunnel --> TCP in/out --> localport:443 --> remote address and port: any
HFS --> TCP in/out --> localport:44300 --> remote address and port: any

Pages: 1