HKP and firewalls

Neil Williams linux@codehelp.co.uk
Sat Mar 29 23:53:01 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've had recent problems with a new ISDN router that doesn't use a 
particularly easy firewall setup. All other outgoing internet connections are 
fine (HTTP,POP,SMTP,SSH,FTP,DNS etc) and the firewall appears to be dropping 
other packets as expected - it's a basic deny-all firewall with no internet 
services available.

However, I cannot get a reply from any keyservers using --recv-keys. I can 
send to keyservers fine (and I can test that the keyserver received the 
update using an SSH connection to a remote server with GPG installed) and I 
can receive all keys IF I use a dial-up modem connection instead of the 
router, so I can't see that it is a problem with ~/.gnup/options.

I've tried opening port 11371 but I get very confusing results. Once in a 
while (and only once each time) I can get a single key through - as if it has 
been cached somewhere - but the other 99 times gpg just waits and waits and 
waits. e.g. output
$ gpg --verbose --verbose --keyserver pgp.mit.edu --recv-keys 0x28BCB3E3
gpg: requesting key 28BCB3E3 from HKP keyserver pgp.mit.edu
gpg: armor: BEGIN PGP PUBLIC KEY BLOCK
gpg: armor header: Version: PGP Key Server 0.9.5

I also use keyserver.linux.it

My basic problem is that the router doesn't use the familiar iptables format 
and doesn't provide a full listing of the traffic. I can't tell where the 
packets are being dropped. I've tried using IP addresses for the keyservers 
and using hkp://pgp.mit.edu etc. 

Does HKP only use port 11371? (Could it be trying to send data back to a 
different port?)

The router is a D-Link DI-304

At present I'm reduced to using an SSH connection to a remote server to do the 
download of the key then an -a --export to a file ready for download and then 
- --import. Quite a long winded way of maintaining a keyring of >30 keys.

I simply don't know where to start with this one.
- -- 

Neil Williams
=============
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+hiQPiAEJSii8s+MRAiWxAKCNP559/ZDkoXCN3SLDch0vUVCSXQCfS+F7
mP8eyBW+FjbrKAa2L2it+Xk=
=TRtd
-----END PGP SIGNATURE-----