[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

TortoiseSVN locked by firewalls a way to a good solution

From: Bernard TREMBLAY <bty-adminf1_at_trebly.net>
Date: Tue, 22 Jan 2013 19:36:41 -0800 (PST)


I summarize :

Locked on any connection of TortoiseSVN client due to firewall without clear message from TortoiseSVN and not any from firewall. After a long work the connection could be established and the reason of the lock become more clear then may be a document could be published.

detailed context
system Windows XPsp3
TortoiseSVN 1.7.10
I began to Restart some updates and to check out some releases after a long time stopped (six month).
Then the repository directories had changed and for my own I had just before stopping updated form 1.6.2 and not tested TortoiseSVN.

I could not connect anymore with no clear message and nothing said by the firewall.
I had many difficulties to discover that the Firewall was responsible and create quite complex rules that are not clean.

I want to collect informations to redact a paper with the subject :
"How to define the right detailed rules for the firewall(s) to allow all transactions of TortoiseSVN in client mode"

I previously opened
#2481 TortoiseSVN client locked by firewall because of not well defined complex rules : how to ?

The url and password had changed for same local working copies and I had updated TortoiseSVN.

I could not connect at all to SourceForge repositories with message : (Cannot find back the exact message) which meaning was
"Cannot connect to <url https:...> because of options - operation failed"

My firewall (GDATA) was not reporting any program locked.
Versus win7 WinXP don't provides tools to create events journal for various system elementary events (marks) which could help to find may be more quickly the solution. For the case it could be particularly useful to detect locked blocs of data by the firewall.
So I have searched around a problem with SVN update and the changes of dir and passwords by SourceForge (all the connection were https with identification). A dysfunction in users, dirs, passwords updates could be the reason.

I spent a long time and eat a lot of work before stopping for a short while the firewall (with security rules and because it is a development server that I had to stop). The simple connection http became possible. The firewall was saying nothing but it was locking the connection process.

After this I test several rules to make the transaction good. I have been successful but the result even functioning is not clean and the why is not clearly explained. The rules are not simple.

Note : After opening access to SVN *.exe to the four ports concerned 22;80;443;890; and defined that they could be launched by Various Tortoise*.exe or shell, the firewall has declared TortoiseProc.exe locked not on network:web
but on network:local(confident). I gave full access right to this network to TortoiseProc then everything has gone well.

So now I would after this experience to redact a document which could become a Q&R
"which details rules (parameters) for firewalls accept all TortoisSVN transactions"

Problem formulation and requests :
I Could not connect during a long while because my firewall was locking any TortoieSVN connexion without any message (it should indicate an application communication locked - TortoiseProc).
The Firewall don't tell that he locks an application communications which is not normal (no yet answer from GDATA).

So to properly formulate the problem and explain the solution I need answers to the following questions (the objects of this thread) :

1- Finally : "What are the definitions of the rules for the (anyone) firewall to obtain the right connection with strict needs and no more :"

This means :
Network concerned (internet and/or local confident), application(s) calling, protocol(s), port(s), calling application (2nd level, which application launches the calling application), addresses.
2- Previously for TortoiseSVN development team

which application launches which other one with which protocols (and ports) for any protocol referenced.

Some element seems to mean that the full calls and protocol set is made in several steps (ports and protocols).
So the firewall seems unable to report the first level lock, (example : when svn.exe with ports 80 and 443 is allowed to connect to net it is not sufficient, in fact the first caller which must be allowed is TortoiseProc.exe). So it is necessary to define rules which will allow complete transactions

Remark about the fact that there no many thread on this subject : I am quite sure that with automatic firewall setup (average level) TortoiseProc.exe should be completely allowed for anything and never an hidden lock could happen. But every body do not set their firewall in automatic allowing mode (open any ports and protocols for any soft from computer, lock unknown input).

3- For GDATA the question is : how an application can appear in the "applications locked" after opening web ports and applications manually because a full application was locked without any message.

What I am waiting for

The opened questions for TortoiseSVN, GDATA (firewall editor) and me who want to redact a document are :

 - What are the definitions of the rules for the (any) firewall to obtain always the right connection (with good securities)
 - Why the firewall don't see the lock and what to do in such case if it is normal
 - What are the good steps to solve a problem of the same type that I met

So I ask to TortoiseSVN Team to transmit to me or tell me were I can find the useful informations about which calls which connexion on which ports and how are the calls between applications and too the sequences that set a connection

note : These information can be sent private because I think them as confidential for security. It is the reason why I will reduce to minimum for a summary in directives for firewalls and not put the details on any text. (I could probably find these informations from sources but this will eat so much work...)

I am waiting for answers from TortoiseSVN team and from the FireWall editor (GDATA which had till now always a very good support and he is concerned because for the TortoiseSVN protocols the firewall don't give good information to understand the locks).

Collaborative solution

With these informations I will make the good test to redact the document, while GDATA will modify (or not) the soft for next version to be able to detect correctly any (as TortoiseSVN) application which contains several linked programs to set a full connection and allow a full transaction.

Possible Result
Help with this text all teams who have firewall and administrators in their companies where nobody know exactly what to do to make run the TortoiseSVN transaction in any case.

Best regards



To unsubscribe from this discussion, e-mail: [dev-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2013-01-23 05:27:28 CET

This is an archived mail posted to the TortoiseSVN Dev mailing list.