Topic: Remote Development Tool Breaks on upgrade from 4.1.2

[Greg Bellamy]

I tried to upgrade our 4.1.2 server to 5.1.2 and a development program that our guys use will no longer connect to the sites where they need to change the code. This is a tool that they use to securely log into a remote site (building automation systems) and change variables and other parts of the code.

The ports that the information that came with the tool says have to be open are:
HTTP & UDP on Port 80
HTTP on Port 3011

Now what changed from 4.1.2 to 5.1.2 that would break this?

I have tried the port forwarding panel and forwarding the ports to an internal ip but that isn't working either.

The other time I broke this was when I setup SARG and SquidGuard with Transproxy. (I had to make a seperate gateway for the developers to get out at that time.)

Any ideas or help greatly appreciated.

Thanks,
Greg Bellamy

[Trevor B]

Greg FWIW.

This does not answer your question, but may be related. Have found out that ipsec is disabled by default and you have to set masq option on for ipsec to get it working
(see http://forums.contribs.org/index.php?topic=12107.msg45462#msg45462 for details).

Did you have a custom template to open up port 3011 in 4.1.2? You may have to change the configuration db to allow this (and have SME 5.1.2 include your custom templates).

I also had a problem because I had copied all of the masq template over to custom (just to alter 1) and they seemed to stuff up a few things (including DHCP of all things) after the upgrade. After clearing them out and doing a post-upgrade it all worked OK.

Trevor B

Greg Bellamy wrote:
>
> I tried to upgrade our 4.1.2 server to 5.1.2 and a
> development program that our guys use will no longer connect
> to the sites where they need to change the code. This is a
> tool that they use to securely log into a remote site
> (building automation systems) and change variables and other
> parts of the code.
>
> The ports that the information that came with the tool says
> have to be open are:
> HTTP & UDP on Port 80
> HTTP on Port 3011
>
> Now what changed from 4.1.2 to 5.1.2 that would break this?
>
> I have tried the port forwarding panel and forwarding the
> ports to an internal ip but that isn't working either.
>
> The other time I broke this was when I setup SARG and
> SquidGuard with Transproxy. (I had to make a seperate gateway
> for the developers to get out at that time.)
>
> Any ideas or help greatly appreciated.
>
> Thanks,
> Greg Bellamy

[Trevor B]

Greg,

also noticed that there is a template called 46AllowHighTCP which requires the PermitHighTCP masq option to be set to yes. This appears to open ports 1024-65535 for incoming TCP traffic.

If required, this can be set on by
/sbin/e-smith/db configuration setprop masq PermitHighTCP yes

then do a
/sbin/e-smith/signal-event remoteaccess-update

Hope this helps
Trevor B

[Trevor B]

And if you REALLY look at the template you will see that the default is yes. So unless you have some other template that turns it off, don't worry......

Trevor B wrote:
>
> Greg,
>
> also noticed that there is a template called 46AllowHighTCP
> which requires the PermitHighTCP masq option to be set to
> yes. This appears to open ports 1024-65535 for incoming TCP
> traffic.
>
> If required, this can be set on by
> /sbin/e-smith/db configuration setprop masq PermitHighTCP yes
>
> then do a
> /sbin/e-smith/signal-event remoteaccess-update
>
> Hope this helps
> Trevor B

[Greg bellamy]

Well to answer what was set on the 4.1.2 box to get it to work. Nothing.

It works on a stock install of 4.1.2 but doesn't after an upgrade OR a fresh install of 5.1.2

Trevor B wrote:
>
> Greg FWIW.
>
> This does not answer your question, but may be related. Have
> found out that ipsec is disabled by default and you have to
> set masq option on for ipsec to get it working
> (see
> http://forums.contribs.org/index.php?topic=12107.msg45462#msg45462
> for details).
>
> Did you have a custom template to open up port 3011 in 4.1.2?
> You may have to change the configuration db to allow this
> (and have SME 5.1.2 include your custom templates).
>
> I also had a problem because I had copied all of the masq
> template over to custom (just to alter 1) and they seemed to
> stuff up a few things (including DHCP of all things) after
> the upgrade. After clearing them out and doing a post-upgrade
> it all worked OK.
>
> Trevor B

[trevorb]

Greg,

5.1.2 does add squid as a transparent proxy by default. Your problem may be there.

Also not sure if UDP on port 80 is open by default.

I don't have access to my box at the moment so can't check (I've had the same dynamic IP for 18 months and got caught out when my ISP changed it yesterday.....), but will do so tonight.

Trevor B

Greg bellamy wrote:
>
> Well to answer what was set on the 4.1.2 box to get it to
> work. Nothing.
>
> It works on a stock install of 4.1.2 but doesn't after an
> upgrade OR a fresh install of 5.1.2
>

[Greg bellamy]

The transproxy package is what broke it in 4.1.2 before. So if that is installed on the stock 5.1.2 then that is what is probably causing it.
Thanks,
Greg Bellamy

trevorb wrote:
>
> Greg,
>
> 5.1.2 does add squid as a transparent proxy by default. Your
> problem may be there.
>
> Also not sure if UDP on port 80 is open by default.
>
> I don't have access to my box at the moment so can't check
> (I've had the same dynamic IP for 18 months and got caught
> out when my ISP changed it yesterday.....), but will do so
> tonight.
>
> Trevor B
>
> Greg bellamy wrote:
> >
> > Well to answer what was set on the 4.1.2 box to get it to
> > work. Nothing.
> >
> > It works on a stock install of 4.1.2 but doesn't after an
> > upgrade OR a fresh install of 5.1.2
> >