Need another brain... "connection refused"...

paulparisi · Feb 23, 2019, 4:41 PM

Need another brain on this... have a longtime working pfSense firewall.

I have a RSync server behind it that is being used from several locations. I am actively transferring data using RSync to and from several remote hosts. I have one Linux host where I get a "connection refused" - both using RSync and trying "telnet remote.host.com 873" I do the same thing from another site and it connects fine. I can connect to other ports (FTP) from the command line "telnet remote.host.com 21" on both machines.

I have no rules that are set to block one IP.

Any pointers would be GREATLY appreciated!

Thanks,
Paul.

Derelict · Feb 23, 2019, 4:55 PM

Connection refused means that something is returning a RST instead of a SYN/ACK when the connection is attempted. A pfSense firewall rule will not do this unless a REJECT rule is explicitly defined. The default behavior is to simply drop blocked traffic, not reply with a RST (the client will hang and timeout, not report Connection refused).

Something somewhere is rejecting the connection instead of accepting it.

With the information provided that's the best I can do.

paulparisi · Feb 23, 2019, 4:55 PM

Ah - ok - any suggested next steps for troubleshooting?

Derelict · Feb 23, 2019, 4:59 PM

Find out what is rejecting the connection. You might need to packet capture. I would start at the pfSense interface at the server side. See if the SYN is being sent to the server and a RST / RST/ACK is being returned. If so, go to the server and figure out why it is rejecting the connections. The server logs might help here.

If not, then walk the packet captures back one hop at a time toward the client (pfSense WAN would likely be next) until you find the RST being returned, or the SYN not arriving at all (meaning something upstream is doing it.)

You might need to look at the client side.

paulparisi · Feb 23, 2019, 5:05 PM

The "problem" host is a Bluehost shared hosting account [host1] - it may be that client. The thing is that I have another Bluehost shared hosting account [host2] (on a different box) that it works on.

I am able to make FTP connections from Host1 and Host2... so maybe BH has 873 outbound blocked on Host1. Does that sound plausible?

Derelict · Feb 23, 2019, 5:11 PM

Something is rejecting the connection. What it is would be just a guess without tests being conducted. No experience with blue host. Sorry.

If the SYN leaves the client and does not arrive at the pfSense WAN, then something between the client and that interface is blocking it.

Gertjan · Feb 25, 2019, 9:12 AM

When you talk about FTP, then port 21 among other, get involved.
rsync, normally, runs over port 22 - or whatever port (SSH ?) you choosed server side.