Re: netsync with port forwarding

[Michael Raskin]

>On Sun, Jun 06, 2021 at 10:51:21AM +0200, Michael Raskin wrote:
>> >Or is here some other way of achieving the same result -- letting 
>> >netsync work when I'm not at home?
>> 
>> As an «adapt to the modem» approach, I would consider forwarding SSH and
>> either port forwarding netsync in SSH connection or directly using SSH
>> repository address (which means netsync through standard input/output
>> through SSH).
>
>Two approaches here.
>
>(1) persuade modem to do the right thing with port 4691.
>I've already done that, but it didn't help.  Presumably because port
>forwarding is more complicated that just rewriting packets.  It is also 
>necessary to do some kind of connexion tracking so that replies to 
>incoming conexions are properly treated.
>
>It's entirely possible that the incomming netsync connection is properly 
>routed to usher, but that ushers' reply is not getting out through the 
>modem.
>
>Netsync relies on some underlying conventions on the use of TCP for a 
>two-way connexion.  Is there some other protocol that shares these 
>conventions?  If so I could tell the modem that this other protocol is 
>now being used on port 4691.

I would frankly start with tcpdump on both sides while trying to connect
from outside. Routers can break so many things it is not even funny…

>(2) use ssh.
>
>I guess that would involve the ssh: URI's instead of mtn" URI's
>
>But this is a solution that works for me only.
>
>I'd like these some of these repositories to be readable 
>by the public.  Monotone itself has enough safeguards on a netsync 
>connexion for this.  But even if I use a separate account for montone 
>repositories, someone that can use ssh to access monotone can also 
>use ssh directly and attack the repositories (by tricks like rm).
>
>Or is some kind of limiter possible with ssh usage?

On the one hand it is, on the other one needs to be quite careful 
setting it up to not leave a hole.