Notification of possible firewall problems

Discussion:

Guido Diepen

2009-08-05 10:04:42 UTC

Hi,

one recurring problem we encounter frequently is that people have problems
with SynCE, it is not working for them and often it turns out that they
have a firewall running. Currently this means that they have to find this
information on some forum, or that they have to find this by asking
questions on the mailing list or IRC channel.

Unfortunately I am not very familiar with all the details of how synce-hal
works, but would the following extension be possible (and if so, would you
guys think it would be useful).

When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.

Couldn't synce-hal somehow check with a timeout function whether the
DHCP/initial handshake connection has been made within a given timelimit
after the device has been detected? I don't think that this should be a
very large timeout, normally this should happen within a matter of
seconds. If this situation is detected (i.e. synce-hal did not reach the
state of a connection be set up completely), you could have synce-hal
trigger a dbus signal signifying a problem with the connected device. The
clients (synce-trayicon / synce-kpm) can then listen for this particular
signal and notify the user of a connection problem and provide the user
with possible solutions (e.g. change firewall settings).

Would this be possible in synce-hal, and if so, what do you guys think
about it?

Kind regards,

Guido Diepen

Mark Ellis

2009-08-08 09:53:01 UTC

Permalink

Post by Guido Diepen
Hi,
one recurring problem we encounter frequently is that people have problems
with SynCE, it is not working for them and often it turns out that they
have a firewall running. Currently this means that they have to find this
information on some forum, or that they have to find this by asking
questions on the mailing list or IRC channel.
Unfortunately I am not very familiar with all the details of how synce-hal
works, but would the following extension be possible (and if so, would you
guys think it would be useful).
When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.
Couldn't synce-hal somehow check with a timeout function whether the
DHCP/initial handshake connection has been made within a given timelimit
after the device has been detected? I don't think that this should be a
very large timeout, normally this should happen within a matter of
seconds. If this situation is detected (i.e. synce-hal did not reach the
state of a connection be set up completely), you could have synce-hal
trigger a dbus signal signifying a problem with the connected device. The
clients (synce-trayicon / synce-kpm) can then listen for this particular
signal and notify the user of a connection problem and provide the user
with possible solutions (e.g. change firewall settings).
Would this be possible in synce-hal, and if so, what do you guys think
about it?

It's definitely possible to add a timeout to the hal stuff, but I don't
know how much would be gained. There are so many reasons why this might
happen, though a firewall is definitely the most common, as we know :)

I think what we actually need is an FAQ / troubleshooting guide. I'm
also working on a more generic installation guide, but as always with
these things I dont have enough eyes/hands/brains !

There were some thoughts thrown around about the firewall problem a
while ago, that came to no real conclusions either.

Mark

Post by Guido Diepen
Kind regards,
Guido Diepen
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
SynCE-Devel mailing list
https://lists.sourceforge.net/lists/listinfo/synce-devel

Guido Diepen

2009-08-08 11:36:37 UTC

Permalink

Post by Mark Ellis

Post by Guido Diepen
Hi,
one recurring problem we encounter frequently is that people have
problems with SynCE, it is not working for them and often it turns out
that they have a firewall running. Currently this means that they have to
find this information on some forum, or that they have to find this by
asking questions on the mailing list or IRC channel.
Unfortunately I am not very familiar with all the details of how
synce-hal works, but would the following extension be possible (and if
so, would you guys think it would be useful).
When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.
Couldn't synce-hal somehow check with a timeout function whether the
DHCP/initial handshake connection has been made within a given timelimit
after the device has been detected? I don't think that this should be a
very large timeout, normally this should happen within a matter of
seconds. If this situation is detected (i.e. synce-hal did not reach the
state of a connection be set up completely), you could have synce-hal
trigger a dbus signal signifying a problem with the connected device. The
clients (synce-trayicon / synce-kpm) can then listen for this particular
signal and notify the user of a connection problem and provide the user
with possible solutions (e.g. change firewall settings).
Would this be possible in synce-hal, and if so, what do you guys think
about it?

It is true that there are more possible options. However, with this additional
signal triggered after a certain timeout of no connection being set up after
the device is connected, we can at least notify the user about the fact that
yes there is a device connected, but there are connection problems. We could
add some extra possible instructions to a dialog:
* Try to switch of any firewalls you might have running on the computer
* Try switching a wm6 device to legacy instead of rndis (IIRC this is what
windows will pop up with also if there are problems with the device)

This way, in case users do have problems, we at least know that HAL detected
the device as WM device, but something went wrong after it.

Post by Mark Ellis
I think what we actually need is an FAQ / troubleshooting guide. I'm
also working on a more generic installation guide, but as always with
these things I dont have enough eyes/hands/brains !

For sure we need such a guide, but indeed I know the problem about too much
work, too little time :)

Post by Mark Ellis
There were some thoughts thrown around about the firewall problem a
while ago, that came to no real conclusions either.

I know, but I think with the additional option, we could at least make it
clear to users something was happening with the device, but during the actual
connection making something went wrong.

Kind regards,

Guido Diepen

--
Guido Diepen <***@jcwodan.nl>
Aviation is proof that given the will, we have the capacity to achieve the
impossible.
--Eddie Rickenbacker

Adam Williamson

2009-08-13 16:39:43 UTC

Permalink

On Mandriva they can run the firewall configuration tool and click the
special box for synchronizing with Windows Mobile devices. :)

Post by Guido Diepen
Unfortunately I am not very familiar with all the details of how synce-hal
works, but would the following extension be possible (and if so, would you
guys think it would be useful).
When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.

I'm not sure that would really work. There has been some discussion on
Fedora's development lists recently about some kind of 'firewallkit'
which would allow (trusted packaged, obviously) applications to open
some firewall holes on installation in some way, but it seems to have
petered out, and it may not be applicable to all distros even if written
(I think the end of the discussion was focussing on ways to do it via
SELinux). In the absence of that, better documentation is probably all
we can do :/

What would be nice is a firewalling system that's smart enough not to
apply the firewall to an rndis0 interface when the connected device is a
Windows Mobile phone in ActiveSync mode (this is in fact all information
that's available to the system). That might be a complex patch to write,
though.

--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

Guido Diepen

2009-08-13 19:03:55 UTC

Permalink

Hi,

Post by Adam Williamson

On Mandriva they can run the firewall configuration tool and click the
special box for synchronizing with Windows Mobile devices. :)

Would be nice if this would be cross distro :)

Post by Adam Williamson

Post by Guido Diepen
Unfortunately I am not very familiar with all the details of how
synce-hal works, but would the following extension be possible (and if
so, would you guys think it would be useful).
When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.

I'm not sure that would really work. There has been some discussion on
Fedora's development lists recently about some kind of 'firewallkit'
which would allow (trusted packaged, obviously) applications to open
some firewall holes on installation in some way, but it seems to have
petered out, and it may not be applicable to all distros even if written
(I think the end of the discussion was focussing on ways to do it via
SELinux). In the absence of that, better documentation is probably all
we can do :/
What would be nice is a firewalling system that's smart enough not to
apply the firewall to an rndis0 interface when the connected device is a
Windows Mobile phone in ActiveSync mode (this is in fact all information
that's available to the system). That might be a complex patch to write,
though.

One problem with rndis0 is that it is not always called rndis0. Currently on
my computer it is renamed to eth1.

The thing is that with this timeout I do not want to change anything to
firewalls or whatever, but with this in my opinion we can signal the user
that there are connection problems and that this might be related to a
firewall. In the message we could tell the user to try first with legacy
(=ppp) mode and if that does not work, check firewall settings. Furthermore,
we can mention that for the firewall settings he must look at the
documentation of the distro running.

It would be nice if there would be one generic way cross distros to have SynCE
open some ports in the firewall, but while that is not present, my suggestion
is to at least provide the user with some more instructions.

Kind regards,

Guido Diepen

--
Guido Diepen <***@jcwodan.nl>
Aviation is proof that given the will, we have the capacity to achieve the
impossible.
--Eddie Rickenbacker

MasterPatricko

2009-08-13 20:02:57 UTC

Permalink

Post by Guido Diepen

Post by Guido Diepen
one recurring problem we encounter frequently is that people have
problems with SynCE, it is not working for them and often it turns out
that they have a firewall running. Currently this means that they have to
find this information on some forum, or that they have to find this by
asking questions on the mailing list or IRC channel.
On Mandriva they can run the firewall configuration tool and click the
special box for synchronizing with Windows Mobile devices. :)

Would be nice if this would be cross distro :)

Post by Guido Diepen

Post by Guido Diepen
Unfortunately I am not very familiar with all the details of how
synce-hal works, but would the following extension be possible (and if
so, would you guys think it would be useful).
When synce-hal detects a new device, it sets up the interface via DHCP,
after which it sends the UDP packet to the device which will have the
device initiate all subsequent connections.

I'm not sure that would really work. There has been some discussion on
Fedora's development lists recently about some kind of 'firewallkit'
which would allow (trusted packaged, obviously) applications to open
some firewall holes on installation in some way, but it seems to have
petered out, and it may not be applicable to all distros even if written
(I think the end of the discussion was focussing on ways to do it via
SELinux). In the absence of that, better documentation is probably all
we can do :/
What would be nice is a firewalling system that's smart enough not to
apply the firewall to an rndis0 interface when the connected device is a
Windows Mobile phone in ActiveSync mode (this is in fact all information
that's available to the system). That might be a complex patch to write,
though.

One problem with rndis0 is that it is not always called rndis0. Currently on
my computer it is renamed to eth1.
The thing is that with this timeout I do not want to change anything to
firewalls or whatever, but with this in my opinion we can signal the user
that there are connection problems and that this might be related to a
firewall. In the message we could tell the user to try first with legacy
(=ppp) mode and if that does not work, check firewall settings. Furthermore,
we can mention that for the firewall settings he must look at the
documentation of the distro running.
It would be nice if there would be one generic way cross distros to have SynCE
open some ports in the firewall, but while that is not present, my suggestion
is to at least provide the user with some more instructions.
Kind regards,
Guido Diepe

As an aside, the situation on SuSE is that we have a /etc/sysconfig
method of adding services (interface+ports) to the SuSEfirewall2
configuration dialog, though it is still up to the user to ultimately
enable it. It's not included in the rpm's at the moment because I hadn't
figured out an safe way around the interface name changes without asking
for open SynCE ports on all interfaces. Adam, what is the solution on
Mandriva?

But anyway, I am not aware of any cross-distro firewall solution ...
would be a nice project along the lines of PolicyKit and PackageKit though.

But +1 for a message informing the user that one reason for why the
connection failed might be a broken firewall configuration. There isn't
really much else SynCE can do AFAICS. Maybe include information about
necessary ports in the man pages?

Regards,

Tejas <MasterPatricko>

Adam Williamson

2009-08-15 17:42:17 UTC

Permalink

Post by MasterPatricko
As an aside, the situation on SuSE is that we have a /etc/sysconfig
method of adding services (interface+ports) to the SuSEfirewall2
configuration dialog, though it is still up to the user to ultimately
enable it. It's not included in the rpm's at the moment because I hadn't
figured out an safe way around the interface name changes without asking
for open SynCE ports on all interfaces. Adam, what is the solution on
Mandriva?

It opens the ports on all interfaces. Admittedly, that's not ideal, but
I figured it would usually be OK as nothing else in the distro uses
those ports.

Post by MasterPatricko
But anyway, I am not aware of any cross-distro firewall solution ...
would be a nice project along the lines of PolicyKit and PackageKit though.

Maybe we should see if there's an appropriate freedesktop.org list or
something to bring it up on, I can ping the people who started the
discussion on fedora-devel-list if you like...
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

Continue reading on narkive:

Search results for 'Notification of possible firewall problems' (Questions and Answers)

replies

Is there a way to be notified about new mail in my Yahoo! mailbox?

started 2006-06-12 08:46:09 UTC

internet

replies

Dangers of no firewall?

started 2009-07-25 06:09:29 UTC

security

replies