HKP and firewalls

Heiko Teichmeier heiko.teichmeier@sw-meerane.de
Fri Apr 4 07:14:01 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Shaw schrieb:
> On Sat, Mar 29, 2003 at 10:54:05PM +0000, Neil Williams wrote:
>
>
>>I've had recent problems with a new ISDN router that doesn't use a
>>particularly easy firewall setup. All other outgoing internet
connections are
>>fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be
dropping
>>other packets as expected - it's a basic deny-all firewall with no
internet
>>services available.
>>
I had same problems to get a connection to a keyserver over a http-proxy
(Squid).
One problem is, that the http-proxy connect to remote-port 80. How I can
now it learn to use a other port???
The next problem in my mind is the DNS. In normal the user get only
contact to the http-proxy in local network (security-reasons) and *no
routing* trough the firewall. So makes the http-server the dns-request
to the internet and get the IP to the asked name. This reasons make the
- --auto-key-retrieve over a http-server difficult (or complete not
working!?)

I had test with our firewall:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
If I allow routing (NAT) for services dns, port:11371 and incoming
highports the --auto-key-retrieve works fine.
If I use secure restrictions (no routing, only proxy-connections [in
this time not with user/password] to the internet) the key-retrieve
works not.

Now my questions:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
How works a http(port80)proxy with port of hkp?
How get it (the http-proxy) the dns-information, if it think it can't
contact the port 11371?
Who has a working combination of only-proxy-allow firewall with
http-proxy (Squid) and enigmail (on windows) for the communication? -
What options make the squid-enigmail-gpg-key-retrieve-combination to a
working suite.

>>However, I cannot get a reply from any keyservers using --recv-keys. I
can
>>send to keyservers fine (and I can test that the keyserver received the
>>update using an SSH connection to a remote server with GPG installed)
and I
>>can receive all keys IF I use a dial-up modem connection instead of the
>>router, so I can't see that it is a problem with ~/.gnup/options.
>>
>>I've tried opening port 11371 but I get very confusing results. Once in=
 a
>>while (and only once each time) I can get a single key through - as if
it has
>>been cached somewhere - but the other 99 times gpg just waits and
waits and
>>waits. e.g. output
>>$ gpg --verbose --verbose --keyserver pgp.mit.edu --recv-keys 0x28BCB3E=
3
>>gpg: requesting key 28BCB3E3 from HKP keyserver pgp.mit.edu
>>gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
>>gpg: armor header: Version: PGP Key Server 0.9.5
>>
>>I also use keyserver.linux.it
>>
>>My basic problem is that the router doesn't use the familiar iptables
format
>>and doesn't provide a full listing of the traffic. I can't tell where t=
he
>>packets are being dropped. I've tried using IP addresses for the
keyservers
>>and using hkp://pgp.mit.edu etc.
>>
>>Does HKP only use port 11371? (Could it be trying to send data back to =
a
>>different port?)
>>
>>The router is a D-Link DI-304
>
>
> I'm not familiar with that particular router, but I can give you some
> general information that will hopefully help you.
>
> HKP is HTTP underneath it all.  The only thing unusual about it is
> that it runs on port 11371.  If there is a general "HTTP"
> configuration for your firewall, try that, and allow it on port 11371.
>
> If that isn't possible for whatever reason, you might look around for
> a HKP keyserver that runs on port 80 (for this exact reason -
> firewalls).  Ask on the pgp-keyserver-folk @ flame.org list, and I'm
> sure someone there can suggest a server to use.
>
> David


- --

Mit freundlichen Gr=FC=DFen
Stadtwerke Meerane GmbH

Teichmeier
Netzmeister NB Elt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
heiko.teichmeier@sw-meerane.de
Tel: +49 3764 791720
Fax: +49 3764 791719
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sw-meerane.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 98)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+jRRND371SiWcNJkRAp/xAJwKZXiORyerbkHIOkzGZV4vQBMvDACfYZ2o
ZicwvWix9UaeMRVxZLsCBvs=3D
=3DJDvU
-----END PGP SIGNATURE-----