Re: [squid-users] rsync redhat-8.0

From: Adam <adam-s@dont-contact.us>
Date: Fri, 18 Apr 2003 14:06:35 -0700

From: "Jean Christophe" <lavieenrose@mail.dk>
> When i try to use rsync beetween a client and the server, I can't get
> acces (permission denied). I think it is because my /etc/squid/squid.conf.
> I need access to rsh tcp 873.

I am assuming you read the manual page for rsync:
http://samba.anu.edu.au/ftp/rsync/rsync.html which says for rsyncing to
ANOTHER rsync server: "You may establish the connection via a web proxy by
setting the environment variable RSYNC_PROXY to a hostname:port pair
pointing to your web proxy. Note that your web proxy's configuration must
allow proxying to port 873. " If you didn't do that then perhaps rsync is
trying to go direct and if direct access to the server is blocked by your
firewall then, yeah you'd get a permission denied.

However you say you need access to "rsh tcp 873." So either you are using
rsync like an rcp command via "rsh" and hence rsync is using port 514 (see
"cmd" in /etc/services) OR you are rsync'ing to an rsync server and in that
case rsync will use port 873. From my limited understanding of rsync, it's
an either or situation.

I don't know if you can proxy rsync when running over rsh/ssh. The above
man page excerpt is specific to having an rsync server on the other end. If
you are in fact doing that then you could add the line "acl Safe_ports port
873" to your squid.conf file. Consider the security implications of this
before proceeding (is the proxy accessible from the internet, etc.). If
there are security concerns then you should take another posters suggestion
and create dedicated acl's that restrict the src and destination as well as
the port. But since the acl Safe_ports is already defined I would add this
port to it just to try/test if this is the source of the problem.

If you are not using an rsync server then, as another poster mentioned, you
should be tunneling rsync over ssh. If you are currently using rsh use ssh
instead, it's pretty easy. In many ways it's easier than rsh. I'd help you
but our rsync's go server to server using ssh but no proxy. In fact, why
would you proxy this job at all? If it's a server-class job you are
running, you might consider allowing client->server for port 873 in your
firewall acls. Let us know if you end up doing that and what you did (acls,
etc.) to get it working so others can learn.

thanks,

Adam
Received on Fri Apr 18 2003 - 15:06:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:02 MST