<div dir="ltr"><div class="gmail_default" style="font-size:x-small">Thank you for you quick reply, and sorry it's taken me so long to respond back.</div><div class="gmail_default" style="font-size:x-small"><br></div><div class="gmail_default" style="font-size:x-small">Frankly I'm not exactly sure what is going on, or what layer the problem is. </div><div class="gmail_default" style="font-size:x-small"><br></div><div class="gmail_default" style="font-size:x-small">I don't think this is a firewall issue--I'm not seeing the connections closed in "minutes", I'm seeing them dropped </div><div class="gmail_default" style="font-size:x-small"><br></div><div class="gmail_default"><div style="font-size:x-small">So I want to connect FROM the indexer TO the DMZ host so the DMZ host can send log data back. </div><div style="font-size:x-small"><br></div><div style="font-size:x-small">Or to put it another way, the *client* opens the connection to the server and the server starts flowing data. </div><div style="font-size:x-small"><br></div><div style="font-size:x-small">But if I have rsyslogd listening on 3002 ( on the Indexer (client) side, then the tunnel never gets initiated, and if I have rsyslogd set up to *send* from the DMZ (server) side I get: </div><div style="font-size:x-small"><br></div><div style="font-size:x-small"><br></div><div style="font-size:x-small"><br></div><div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448011328]: Service [tunnel_from_10.3.209.52] accepted (FD=3) f rom <a href="http://10.3.209.52:43042">10.3.209.52:43042</a></font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Service [tunnel_from_10.3.209.52] started</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Waiting for a libwrap process</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Acquired libwrap process #0</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Releasing libwrap process #0</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Released libwrap process #0</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Service [tunnel_from_10.3.209.52] permitted by libw rap from <a href="http://10.3.209.52:43042">10.3.209.52:43042</a></font></div><div><font size="1">2018.07.19 23:59:41 LOG5[24275:140358448006912]: Service [tunnel_from_10.3.209.52] accepted connecti on from <a href="http://10.3.209.52:43042">10.3.209.52:43042</a></font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): before/accept initialization</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SNI: no virtual services defined</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 read client hello B</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write server hello A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write certificate A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write key exchange A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write server done A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 flush data</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 read client certificate A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 read client key exchange A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 read certificate verify A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 read finished A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write session ticket A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write change cipher spec A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 write finished A</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: SSL state (accept): SSLv3 flush data</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 items in the session cache</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 client connects (SSL_connect())</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 client connects that finished</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 client renegotiations requested</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 1 server connects (SSL_accept())</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 1 server connects that finished</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 server renegotiations requested</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 session cache hits</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 external session cache hits</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 session cache misses</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: 0 session cache timeouts</font></div><div><font size="1">2018.07.19 23:59:41 LOG6[24275:140358448006912]: SSL accepted: new session negotiated</font></div><div><font size="1">2018.07.19 23:59:41 LOG6[24275:140358448006912]: Negotiated protocol version: TLSv1.2</font></div><div><font size="1">2018.07.19 23:59:41 LOG6[24275:140358448006912]: Negotiated TLSv1/SSLv3 ciphersuite: ECDHE-RSA-RC4-S HA (112-bit encryption)</font></div><div><font size="1">2018.07.19 23:59:41 LOG6[24275:140358448006912]: Compression: null, expansion: null</font></div><div><font size="1">2018.07.19 23:59:41 LOG6[24275:140358448006912]: connect_blocking: connecting <a href="http://127.0.0.1:3000">127.0.0.1:3000</a></font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: connect_blocking: s_poll_wait <a href="http://127.0.0.1:3000">127.0.0.1:3000</a>: waiti ng 10 seconds</font></div><div><font size="1">2018.07.19 23:59:41 LOG3[24275:140358448006912]: connect_blocking: connect <a href="http://127.0.0.1:3000">127.0.0.1:3000</a>: Connectio n refused (111)</font></div><div><font size="1">2018.07.19 23:59:41 LOG5[24275:140358448006912]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Local socket (FD=3) closed</font></div><div><font size="1">2018.07.19 23:59:41 LOG7[24275:140358448006912]: Service [tunnel_from_10.3.209.52] finished (0 left)</font></div><div style="font-size:x-small"><br></div></div><div style="font-size:x-small">so it never has a chance to send. </div><div style="font-size:x-small"><br></div><div style="font-size:x-small">Am I trying to do something that Stunnel just isn't designed for? </div><div style="font-size:x-small"><br></div><div style="font-size:x-small"><br></div><div style="font-size:x-small"><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 18, 2018 at 2:43 AM, Peter Pentchev <span dir="ltr"><<a href="mailto:roam@ringlet.net" target="_blank">roam@ringlet.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote:<br>
> I have a client who is setting up a logging infrastructure involving a<br>
> couple of DMZs forwarding logs into central logging points.<br>
> <br>
> They have to pass compliance audits (SOX, PCI at least) and have some<br>
> rather specific desires in regards to how they want the log traffic to<br>
> move, and which servers *initiate* the connections.<br>
> <br>
> Which is to say they want the internal servers to set up tunnels to the DMZ<br>
> servers and then the forwarders use that tunnel to deliver logs back.<br>
> <br>
> <br>
> Lemme see if I can ascii art this:<br>
> <br>
> central1----------------------<wbr>------------dmz1<br>
> \____________________ /<br>
> _____________________\ _/<br>
> / \<br>
> central2----------------------<wbr>------------dmz2<br>
> <br>
> Something like that.<br>
> <br>
> Central1=10.10.1.2<br>
> Central2=10.9.1.2<br>
> <br>
> DMZ1=172.18.0.5<br>
> DMZ2=172.20.0.5<br>
> <br>
> Firewalls are in effect.<br>
> <br>
> I have gotten it set up so that I can initiate a connection FROM Central1<br>
> to DMZ2.<br>
> <br>
> [Tunnel_to_DMZ2]<br>
> client = yes<br>
> accept = 3002<br>
> connect = <a href="http://172.20.0.5:5000" rel="noreferrer" target="_blank">172.20.0.5:5000</a><br>
> <br>
> <br>
> And<br>
> <br>
> [Tunnel_from_Central1]<br>
> accept = 5000<br>
> connect = 3000<br>
> <br>
> <br>
> Like I said, I can open a tunnel from Central1 to DMZ2, but can't get<br>
> traffic to pass backwards--I get a message in the log saying the session is<br>
> closed.<br>
<br>
</div></div>So you are saying that the connection is established successfully?<br>
(you can check that in the logs of both stunnel instances and also using<br>
e.g. netstat or ss or similar tools on the hosts that should be talking to<br>
each other through the tunnel)<br>
...but then, some indeterminate time later, one of the hosts tries to send<br>
some data through this connection and gets a connection reset or something<br>
like that?<br>
<br>
If so, this sounds like something I've seen *a lot* with firewalls and<br>
other devices that try to keep track of connections passing through them<br>
(e.g. for NAT and such) - the firewall/NAT/whatever decides that there has<br>
been no traffic on that particular connection for, say, the last 15 minutes,<br>
so it drops it from its internal state - *obviously* those hosts do not need<br>
to talk to each other any more, who would ever have a 15-minute pause in<br>
a TCP connection, why would anybody want that? So the next time one of<br>
the hosts tries to send some data, the firewall/NAT/whatever says "hm, well,<br>
I don't know anything about this connection that you think you have, so,<br>
yeah, no".<br>
<br>
TL;DR: maybe you should check the settings on some of the firewall devices<br>
and see if you can somehow raise the timeouts for inactive connections or<br>
something like that.<br>
<span class=""><br>
> Is it possible to set stunnel up in a "reverse tunnel" mode--one where the<br>
> connect is initiated from one end, but the other does most of the message<br>
> passing?<br>
> <br>
> What I am missing?<br>
<br>
</span>Hope the above helps.<br>
<br>
G'luck,<br>
Peter<br>
<span class="HOEnZb"><font color="#888888"><br>
-- <br>
Peter Pentchev roam@{<a href="http://ringlet.net" rel="noreferrer" target="_blank">ringlet.net</a>,<a href="http://debian.org" rel="noreferrer" target="_blank">debian.org</a>,<wbr>FreeBSD.org} <a href="mailto:pp@storpool.com">pp@storpool.com</a><br>
PGP key: <a href="http://people.FreeBSD.org/~roam/roam.key.asc" rel="noreferrer" target="_blank">http://people.FreeBSD.org/~<wbr>roam/roam.key.asc</a><br>
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13<br>
</font></span></blockquote></div><br></div>