btsync on Debian wheezy questions

[ovizii]

I'm using the packages from the repository one of the members here posted publicly and I "think" I have it all set up properly but if I start btsync:

/etc/init.d/btsync start

Starting P2P file synchronisation daemon(s)...Autostarting btsync instance 'complex':.

THat is all that happens, no errors nothing. And if I check with pstree, btsync isn't running so where does it log to or where can I find out what the problem is?

[ovizii]

I made some progress, I now ran this: /usr/lib/btsync/btsync-daemon --config /etc/btsync/complex.conf

and finally got an error:

To use BitTorrent Sync you should specify shared directories in config file or enable Web UI

here is my config file, with the secret masked:

{
  "device_name": "xxx",
  "listening_port" : xxx,					  
// 0 - randomize port

/* storage_path dir contains auxilliary app files
   if no storage_path field: .sync dir created in the directory
   where binary is located.
   otherwise user-defined directory will be used
*/
  "storage_path" : "/root/btsync/.btsync",
// uncomment next line if you want to set location of pid file
// "pid_file" : "/var/run/btsync/btsync.pid",
  "check_for_updates" : false,
  "use_upnp" : false,							 
// use UPnP for port mapping

/* limits in kB/s
   0 - no limit
*/
  "download_limit" : 0,					  
  "upload_limit" : 0,
/* remove "listen" field to disable WebUI
   remove "login" and "password" fields to disable credentials check
*/
  "webui" :
  {
    //"listen" : "0.0.0.0:8888",
    //"login" : "admin",
    //"password" : "password"
  }
/* !!! if you set shared folders in config file WebUI will be DISABLED !!!
   shared directories specified in config file
   override the folders previously added from WebUI.
/*
/*
  ,
  "shared_folders" :
  [
    {
//  use --generate-secret in command line to create new secret
//documents uses a read-only secret
	  "secret" : "xxx",				   // * required field
	  "dir" : "/root/btsync/Documents", // * required field
//  use relay server when direct connection fails
	  "use_relay_server" : true,
	  "use_tracker" : true,
	  "use_dht" : true,
	  "search_lan" : false,
//  enable sync trash to store files deleted on remote devices
	  "use_sync_trash" : true,
//  specify hosts to attempt connection without additional search	
	  "known_hosts" :
	  [
	    //"192.168.1.2:44444"
	  ]
    }
  ]
*/
// Advanced preferences can be added to config file.
// Info is available in BitTorrent Sync User Guide.
}  

Anything wrong with this?

[ovizii]

Sorry, I'm an idiot, this whole section was commented and I didn't realize it:

/*
  ,
  "shared_folders" :
  [
	    {
//  use --generate-secret in command line to create new secret
//documents uses a read-only secret
		  "secret" : "xxx",							    // * required field
		  "dir" : "/root/btsync/Documents", // * required field
//  use relay server when direct connection fails
		  "use_relay_server" : true,
		  "use_tracker" : true,
		  "use_dht" : true,
		  "search_lan" : false,
//  enable sync trash to store files deleted on remote devices
		  "use_sync_trash" : true,
//  specify hosts to attempt connection without additional search	  
		  "known_hosts" :
		  [
			    //"192.168.1.2:44444"
		  ]
	    }
  ]
*/

BUT now I have a firewall problem: I btsync to use port i.e. 55555 on the server on and my macbook and have opened TCP and UDP incoming and outgoing for that port but it seems btsync uses other ports too?

What other ports do I need to open for it to work properly?

[ovizii]

Ok, I'm getting closer to the root of the issue:

btw. the firewall problems are on my server, not on the macbook.

So I set up btsync to use port 55555 and opened ingres and egres traffic for TCP and UDP on the server for port 55555 and 3000.

Still I see entries in my firewall logs like this:

Jul  2 13:02:19 h2118175 kernel: [12015648.927721] ** P2P ** IN= OUT=eth0 SRC=85.214.xxx.xxx DST=67.215.xxx.xxx LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=55555 DPT=6881 LEN=75

Is port 6881 also needed or is this just a random port? Is there a complete list of needed ports available somewhere?

[rdebath]

I guess you're using DHT. The remote for DHT is whatever some random person on the internet configured.

Locally BTSync opens ports 3838 for local multicast, your configured port on UDP for internet connectivity and your configured port on TCP for local connectivity. Additionally, if configured, it opens the http(s) port for the web GUI.

Minimum, firewall requirements are here. (as noted in the unofficial FAQ) Maximum firewall requirements are basically the configured UDP port open for unsolicited packets from any address and any port over 1024.

[ovizii]

Ok, thanks for the reply. DHT and tracker settings are not my forte, I only know what I've read around here.

Let me explain my setup, maybe you can shed some more light on things:

I have the following machines:

1 Macbook

1 PC

1 dedicated server

Everything works between the Mac and the PC, now I wanted to add the server to this setup and give it read-only keys.

I have set up the server as a predefined host on the PC and MAC since its got a static IP but cannot do the same in reverse as the PC and the MAC are on dynamic IPs, whenever they go online.

All 3 machines involved are configured to use port 47151.

The current firewall settings on the server, the only place where I've got problems are:

ingres:

allow incoming data on ports 3000,47151 TCP&UDP

egres:

allow outgoing data on ports 3000,47151 TCP&UDP

TO and FROM ANY. So basically, I fulfilled the minimum firewall requirements and still the server tries ending out stuff on port 6881 as you can see in the firewall log above: DPT=6881

Here are a few more dropped packet logs:

Jul 3 08:04:00 h2118175 kernel: [12084148.276757] ** P2P ** IN= OUT=eth0 SRC=server DST=67.215.242.139 LEN=95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=47151 DPT=6881 LEN=75

Jul 3 08:03:59 h2118175 kernel: [12084147.660390] ** OUT_UDP DROP ** IN= OUT=eth0 SRC=server DST=85.214.221.99 LEN=30 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=5351 DPT=5351 LEN=10

Would any of this change if I turned any of these settings off?

	  "use_relay_server" : true,
	  "use_tracker" : true,
	  "use_dht" : true,

This is my config file on the server:

{
  "device_name": "xxx",
  "listening_port" : 47151,					  

  "storage_path" : "/root/.btsync",[/font][/size]
[size=4][font=arial, helvetica, sans-serif]  "check_for_updates" : false,
  "use_upnp" : false,							
  "download_limit" : 0,					  
  "upload_limit" : 0,
  "webui" :
  {
    "listen" : "0.0.0.0:8888",
    "login" : "root",
    "password" : "xxx"
  }
,
  "shared_folders" :
  [
    {
	  "secret" : "xxx",
	  "dir" : "/root/btsync/Documents",
	  "use_relay_server" : true,
	  "use_tracker" : true,
	  "use_dht" : true,
	  "search_lan" : false,
	  "use_sync_trash" : true,
	  "known_hosts" :
	  [[/font][/size]
[size=4][font=arial, helvetica, sans-serif]	  ]
    }
  ]
}[/font][/size]
[size=4][font=arial, helvetica, sans-serif]

What I cannot do is allow this:

the configured UDP port open for unsolicited packets from any address and any port over 1024.

As that would mean to basically open up the server to all sort of unwanted traffic.

Any other hints or observations you can make based upon this detailed post?

[rdebath]

1. Block TCP at the firewall it's only useful for local peers.
   
2. You don't need to allow packets to port 3000 on your machines; the tracker and relay are on port 3000.
   
3. Turn off DHT, you are not giving it sufficient access to do anything useful.
   
4. Make sure that peers behind the same firewall have different ports.
   
5. Don't run it as root.
   

Otherwise, if you want to completely lock down the firewall, it's a case of choosing which peer discovery option you want to use, allowing the connections for that method and disabling the others.

BTW: 'Ingress' and 'Egress' are vague terms that mean something to your specific firewall vendor/script etc. Your log messages are obviously "iptables" messages but these words don't mean anything for iptables.

PS: Iptables connection tracking will be kept alive by BTSync's chatter, if you make significant changes you may have to turn off ALL peers for at least 4 minutes to allow the tracking to clean up. (Or add NOTRACK rules to the raw table)

[ovizii]

hey man, thanks for the quick reply.

1) I'm not sure I understand what you mean here?

2) Done, removed port 3000 since it wasn't needed.

3) Done

4) no peers are behind the same firewall

5) I've read up on how to run it under multiple users and have been looking into it, for now however I'm just trying to get it up and running first.

With regards to this:

Otherwise, if you want to completely lock down the firewall, it's a case of choosing which peer discovery option you want to use, allowing the connections for that method and disabling the others.

Which one requires the least opened ports? Which one has specific port requirements versus loose ones like >1024 ?

I used INGRESS and EGRESS loosely as in INCOMING and OUTGOING. AS simple as that.

[rdebath]

Least open ports for you are using ONLY the tracker and the relay.

Open your UDP port, your host to the tracker and relay IPs port 3000.

Allow solicited replies from same.

Nothing else. This will probably be slow and the peers will still attempt (and fail) to make direct connections.

It's better if you configure UDP to be just like TCP normally is, ie: allow all solicited replies.

RE: TCP ...

Posted 12 May 2013 - 07:09 AM

Peer discovery:

BTSync uses several methods of peer discovery.

• Known hosts: this is the simplest; you enter a Port number and an IPaddress or DNS hostname and BTSync attempts to contact this host (This should also work with dynamic DNS if you wish)
  
• Search lan: this sends out multicast packets to the local lan (and rarely some connected ones) on port 3838. If a client receives once of these it attempts a normal connection to that peer.
  
• Tracker: BTSync sends the info hash of the share (basically the hash of the secret) to t.usyncapp.com. That host keeps a list of the IP:port pairs that have contacted it with that hash and gives them out to everyone interested.
  
• DHT: (Distributed Hash Table) this is very similar in concept to a tracker, except the hashs are not stored on one central server but distributed across all the peers in all the swarms. There does need to be a starter peer (one of which I expect is hosted by bittorrent.com) but once started the network is self supporting. (This one is real magic )
  

use_lan_tcp is NOT use for peer discovery; it is a way of speeding up connections to peers that have already been contacted with UDP (like turning off lan_use_encryption).

The relay server is NOT used for peer discovery; it's for working around stupidly obstructive NAT and firewall devices.

[ovizii]

Ok, let me see if I got this right:

1) Least open ports for you are using ONLY the tracker and the relay.

2) Open your UDP port, your host to the tracker and relay IPs port 3000.

3) Allow solicited replies from same.

4) Nothing else. This will probably be slow and the peers will still attempt (and fail) to make direct connections.

It's better if you configure UDP to be just like TCP normally is, ie: allow all solicited replies.

1) done

2) by your UDP port you mean 47151 - the only port I can configure within btsync apart from the one for the web interface I reckon? I allow incoming/outgoing UDP traffic on ports 3000,47151 (to and from ANY destination)

3) 2) should take care of this too.

4) care to explain or point me to some links as to why they would fail to connect?

So far, with the setup I just described, my macbook doesn't seem to see the server but I'll give it a while to see if things work out.

[ovizii]

I think I also had a problem with the versions. On the server I use: BitTorrent Sync 1.1.22 and on my MACbook I had 1.0.something and it wouldn'T report any updates. I then figured out that this download link is OLD: http://labs.bittorrent.com/experiments/sync/get-started.html => the download button gives an old MAC image.

Found this one, which seems to the the most recent one: http://syncapp.bittorrent.com/1.1.26/ and my MAc immediately picked up the server... BUT started re-indexing everything :-(

I'll report back with a final resume once its done.

[ovizii]

Ok, to sum it up:

opening ports 3000 and the one set up within btsync's preferences for incoming/outgoing traffic worked flawless once all machines had the same version of btsync.