HKP and firewalls

David Shaw dshaw@jabberwocky.com
Thu Apr 3 18:11:03 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Mar 29, 2003 at 10:54:05PM +0000, Neil Williams wrote:

> I've had recent problems with a new ISDN router that doesn't use a 
> particularly easy firewall setup. All other outgoing internet connections are 
> fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be dropping 
> other packets as expected - it's a basic deny-all firewall with no internet 
> services available.
> 
> However, I cannot get a reply from any keyservers using --recv-keys. I can 
> send to keyservers fine (and I can test that the keyserver received the 
> update using an SSH connection to a remote server with GPG installed) and I 
> can receive all keys IF I use a dial-up modem connection instead of the 
> router, so I can't see that it is a problem with ~/.gnup/options.
> 
> I've tried opening port 11371 but I get very confusing results. Once in a 
> while (and only once each time) I can get a single key through - as if it has 
> been cached somewhere - but the other 99 times gpg just waits and waits and 
> waits. e.g. output
> $ gpg --verbose --verbose --keyserver pgp.mit.edu --recv-keys 0x28BCB3E3
> gpg: requesting key 28BCB3E3 from HKP keyserver pgp.mit.edu
> gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
> gpg: armor header: Version: PGP Key Server 0.9.5
> 
> I also use keyserver.linux.it
> 
> My basic problem is that the router doesn't use the familiar iptables format 
> and doesn't provide a full listing of the traffic. I can't tell where the 
> packets are being dropped. I've tried using IP addresses for the keyservers 
> and using hkp://pgp.mit.edu etc. 
> 
> Does HKP only use port 11371? (Could it be trying to send data back to a 
> different port?)
> 
> The router is a D-Link DI-304

I'm not familiar with that particular router, but I can give you some
general information that will hopefully help you.

HKP is HTTP underneath it all.  The only thing unusual about it is
that it runs on port 11371.  If there is a general "HTTP"
configuration for your firewall, try that, and allow it on port 11371.

If that isn't possible for whatever reason, you might look around for
a HKP keyserver that runs on port 80 (for this exact reason -
firewalls).  Ask on the pgp-keyserver-folk @ flame.org list, and I'm
sure someone there can suggest a server to use.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+jF1M4mZch0nhy8kRAuFIAJ4zK3eJ0A/7Ofjj5YvsG74unu6NQQCcCrmF
mL6FO93TDtFbzTRVNxVaxtA=
=ajfg
-----END PGP SIGNATURE-----