Used Version 6.0.10: under Virtual Box 6.1 on Windows 10 version 1909
I have managed the install without issues and it would seem I have network connectivity (bridged adapter in Virtual Box to my Wifi Card) and I can reach the web interface without a problem from my Windows OS. I have configured three layers of DNS (local router, ISP DNS, Google DNS plus setting the Global Gateway as my router IP on my local network and I do not use a proxy.
What I can not do is sync to the community feed on either port 24 or 443.
Although I am fairly IT literate I am a noob on this so any assistance would be greatly appreciated.
Questions I have are
How do I run a test to check outbound connectivity
To what url should I be testing
We are using rsync for the feed which (as far as I know) requires port 873.
Hi Bricks, the menu program inside the only shows the other two ports. Does my firewall need to open 837 on TCP and /or UDP and does it need to be two way i.e. in and out?
Please disable your firewall and give the GCE direct “IPv4/v6 based” internet connection, then you should be able to run a feed update. Please note Proxy and NAT are not supported for the Community Feed.
Thanks for that suggestion but I am not certain that it is the best idea for security reasons. See here Whilst the vulnerabilities in RSync might only be limited to the VM disabling my firewall exposes my host too doesn’t it?
My reasoning is as follows: the VM is residing on my laptop and the VM NIC is bridged to my laptop NIC disabling my firewall entirely (for example if I DMZ the laptops IP) will expose not only the VM but my laptop also won’t it?
Is a secure rule for port forwarding supported? Are there any guides for creating a firewall rule from and to the feed server on 873 / TCP ? i.e. a mapped port forward from the laptops IP on 837 / TCP to and from the feeds url or IP.
RSync is a Server-Client protocol, that whole article of Rapid-7 is about mis-configured Server, your Client is NOT related by syncing out feed using delta-method rsync. And we know what we are doing, to this is more or less FUD by Rapid7 and has nothing to do with our feed sync.
You need to connect your GCE to the Internet, for example multiple sessions with NAT are not supported, and many issues come up in mis-configured environments. If you are at home behind a Consumer device, you should be fine, if you try to sync multiple GCE instances via one corporate firewall, that setup is NOT supported. You only need DNS and port 837/TCP to be able to sync via IPv6 or legacy IPv4.
Thanks for the explanation. I didn’t mean to offend you, I wasn’t suggesting you didn’t know what you were doing.
I am at home behind a consumer device with a single instance and have already configured DNS and IPV4 already. I was therefore confused as to why it wasn’t working.
I will investigate my routers settings for the firewall but would have thought a Stateful Packet Inspection firewall would adapt to the outbound connection request on on 873 TCP. Do I need any other ports such as SSH on 22 TCP as I may need to set trigger ports in the router?
Only outgoing, no need to open any incoming ports. The SYN. comes from the GCE and that’s it. Our back-end accepts only ONE SYN-ACK connection per source IP. That’s it. So you need to ensure that your nat-session does not keep the connection open, even if the rsync session is already done.
even more confused here. Router has UPNP enabled but doesn’t see the RSync ports or session in its logs. Set up trigger ports for 22 and 873 TCP but that isn’t being hit either as far as I can see. The only thing I do not have direct control over is the Panda Adaptive Defense 360 firewall but its not logging any blocks so I am assuming it should be passing it through. Just disabled all of the router stuff as it wasn’t doing any good and UPnP is a security risk anyway.
Any suggestions for what I may be overlooking.
You do not need UPNP as well you don’t need any incoming session. Just allow that port outgoing. As i suggested disable any firewall (outgoing) between your GCE and the internet. With that setup you will not be able to run any vulnerability scanning as well.