Jump to content

Leopard firewall blocks Retrospect Client


Recommended Posts

I have the Mac OS X 10.5.1 Leopard firewall on my PowerBook set to "Set access for specific services and applications," and I have a special entry that allows incoming connections to pitond. I am nevertheless unable to connect to the PowerBook Client (130) from my Retrospect Desktop (138) server. Console.app on the PowerBook reports "Deny pitond...." Retrospect Desktop on the server puts up a progress alert that it's trying to connect, then it present an error alert that the client is not visible on the network. (I've also added an entry to allow incoming connections to Retrospect Client, but that doesn't help.)

 

If I change the firewall setting on the PowerBook to "Allow all incoming connections," Retrospect Client works perfectly well. If I change it back to "Set access for specific services and applications," it starts blocking pitond again despite the special entry to allow incoming connections to pitond.

 

I'm unwilling to run without a firewall. How can I connect to Retrospect Client with the firewall running on the client PowerBook?

 

More info, in case it's relevant: The first time I tried to use Retrospect Client on the PowerBook, Leopard put up a dialog asking if I want to allow access to 'pitond'. At that point, I didn't remember that 'pitond' is a Retrospect service, but I started moving the mouse to click "Allow" anyway. Unfortunately, my thumb slipped off the trackpad button over the "deny" button. That's why I had to start experimenting with System Preferences' Security/Firewall pane, but as far as I know I have now got it set up exactly as it would have been set up if I had clicked "Allow."

Link to comment
Share on other sites

I explained why in my original post: The system put up an alert asking me whether to allow pitond to receive accesses. Obviously, the system thinks pitond needs access in order to work, and my research in other forums and Google suggested so, too. As I explained, I accidentally clicked the deny button, and from then on Retrospect Access didn't work with the firewall turned on, but it does work with the firewall turned off. Apparently, pitond access is necessary to get through the firewall. Can you cite authority to the contrary? When you look in your System Preferences/Security/Firewall pane on your client machines, what are your firewall settings?

 

As I also explained in my post, I also tried allowing access to Retrospect Client, and it didn't help.

 

I wonder why you are asking these questions, since I already answered them in my original post. Is there something you can add that would help me get past this problem?

Link to comment
Share on other sites

Quote:


Can you cite authority to the contrary?

 


 

As the senior manager of technical support for Retrospect, supporting Retrospect for over 13 years, I think that makes me an authority.

 

Opening the Firewall for the Retrospect Client itself would be the best way, but if Pitond is already blocked, that may be a problem.

Doesn't the firewall list the items you have excluded so you can remove them?

 

Retrospect Client uses Port 497 for UDP and TCP traffic. In 10.4, you could open up these specific settings. With the new very limited Firewall offered by Apple, I have been unable to find a way in 10.5 to open specific ports.

 

 

You can try to uninstall and reinstall the client. During the client install, you will get a prompt to open up the firewall. Keep in mind, that the command we use to open the firewall was designed pre 10.5, so I am not 100% sure if the same command functions under 10.5.

Link to comment
Share on other sites

Quote:

Is there something you can add that would help me get past this problem?

 


 

He's trying.

 

But if he misread or missed some specific comment in your original post, lighten up and help to keep the communication flowing.

 

> as far as I know I have now got it set up exactly as it would have been set up if I had clicked "Allow."

 

But maybe not.

 

Perhaps zapping the OS X firewall preferences/settings and starting fresh might yield a different result.

Link to comment
Share on other sites

> > as far as I know I have now got it set up exactly as it would have been set up if I had clicked "Allow."

 

How exactly is it setup now?

 

Below the line (which separates Apple configured services from other services) your have pitond listed, with "Allow incoming connections" set?

 

Since a user can't manually configure it to look like this (without first getting the prompt from the OS about this process), and since Robin reports success with the firewall enabled on Leopard test machines, what if you deleted the pitond entry entirely, then added the Retrospect Client application (which included pitond within its bundle)?

 

 

Dave

Link to comment
Share on other sites

Replying to CallMeDave: My apologies to the list for being crusty. I'm not usually like that. Consider me lightened up. smile.gif

 

I would be reluctant to zap the firewall preferences file until I've confirmed that all else fails. But I would like to examine the preferences file. Can you tell me where it's located and what it's name is?I haven't been able to find it yet.

 

At the moment, I have both pitond and Retrospect Client listed with "Allow incoming connections" set for both of them. I had previously tried it with one alone listed and set, then with the other alone listed and set. None of these three configurations worked. The only thing that worked was to turn off the firewall completely, and like I said, I'm not willing to live that way.

 

Actually, you can configure the list manually, and I did: In System Preferences/Security/Firewall: (1) select the "Set access for specific services and applications" radio button, (2) click the "+" button beneath the list of specific services and applications to bring up the file selection sheet, (3) switch to the Finder and use the contextual menu to open the Retrospect Client's package's Contents/ Resources folder, (4) drag the pitond file from the Resources folder in the Finder window to the file selection sheet in System Preferences/Security/Firewall (see the "+" badge on the cursor as you drag) and drop it in, and (5) click Add. The sheet goes away and now you have pitond in the specific services and applications list. (Dragging from the Finder into a sheet on another application's window is not exactly intuitive UI design, but it works.) If necessary, click the "Block incoming connections" popup menu button in the scrollable table and choose "Allow incoming connections" instead. This is exactly the configuration that results when you click the "Allow" button (instead of the "Deny" button, as I accidentally did) in the alert that the system presents. (I could have simply used the popup menu button to change from "Block incoming connections" to "Allow incoming connections" for pitond in the first place, but I had already clicked the "-" button to delete the pitond file from the list, as the first step in my explorations to find a solution.)

Link to comment
Share on other sites

Replying to Mayoff: I'm delighted to be in communication with an authority, but somewhat dismayed that Apple hasn't given developers enough information to get this right. (As a developer myself, I'm aware of the issues.) I will remove both pitond and Retrospect Client from the specific services and applications list, and start over by allowing access for Retrospect Client alone, first. But I've tried that configuration once already without success. My guess is that the new Leopard firewall software doesn't know to associate port 497 UDP/TCP with Retrospect Client or pitond.

 

There is some Apple documentation that claims you can still use ipfw to open specific ports, and that the new higher-level Leopard firewall will honor more-specific ipfw settings. But you need to use third-party software or Terminal to configure ipfw now that System Preferences no longer uses ipfw. Perhaps Apple expects commercial applications with specific port requirements to open those ports themselves with ipfw? (It's easy to suspect that Apple didn't quite finish thinking through the implications of the new, easy-to-use Leopard firewall.)

 

I already uninstalled and reinstalled Retrospect Client, because I ran into the problem where the new 138 disk image for Retrospect Desktop contains the old 107 version of Retrospect Client. I ran the client installer right after upgrading Retrospect, and I promptly discovered to my astonishment that the client had been downgraded from 130 to 107 as a result. So I uninstalled the 107 client and reinstalled the 130 client that I had to download separately from the EMC/Dantz site. (You can imagine why I've been a little crusty lately.)

 

If I understand your post correctly, you have stated in substance that Retrospect Client no longer works with the new Leopard firewall radio button set to "Set access for specific services and applications" because you can't open port 497. I realize that you said in your earlier post that you're running several computers under 10.5.1 and none have firewall issues, but you didn't specify how your firewalls are configured. Can you advise on that? If in fact your clients are blocked, as mine is, when you turn on the "Set access for specific services and applications" setting, then this is a major issue for the Retrospect product and hopefully will be escalated to the highest priority.

Link to comment
Share on other sites

From my own testing 10 minutes ago:

 

-Allow all incoming connections always allows my client to be seen

-Allow only essential services always STOPS the client from being seen

-Set Access for Specific Services and Applications allows the client to be seen with and without the client being included in the list of programs. I have seen the same behavior with other client computers.

 

This is the same behavior I saw in 10.5.0.

Link to comment
Share on other sites

OK, I got it to work. I think I see what's happening, and as a result I have a suggestion for a new feature in the next version of Retrospect Client (at the end of this post).

 

I uninstalled Retrospect Client, then reinstalled it. These interesting events occurred:

 

1. An installer dialog asked me whether to allow incoming connections to Retrospect through the firewall, and I answered yes. Judging from your earlier remarks, this instructed the installer to open the required port 497 using ipfw (the old Tiger technique you mentioned that Client still uses). I have done some more research on ipfw and Leopard this afternoon, and I've found lots of confirmation that ipfw port settings are still honored in Leopard, and the new Leopard application firewall is layered on top of it. This is apparently why the new Leopard firewall is disabled by default upon installation of Leopard -- the old firewall is still in place by default, so our Leopard Macs are still secure even with the new firewall disabled.

 

2. A second dialog, this one presented by the Leopard system, asked me whether to allow incoming connections to pitond through the firewall. I answered yes this time. Looking at the Firewall pane in System Preferences Security afterwards, I see that this added pitond to the specific applications and services list with an "Allow incoming access" setting.

 

(As an aside, I then had to use Retrospect Desktop on the server to "forget" the old backup client and add a new one by IP address, before the server would let me connect to the client. I was told to do this by an error alert that differed from the old "not visible on the network" alert; this new alert said something about not recognizing the client name/password. I had used my standard password, so I'm not sure why this was an issue.)

 

I suspect that the original failure that started all this was caused by my having accidentally clicked Deny instead of Allow in response to the system dialog (step 2 above) the first time around. That mistake on my part may have caused your installation script to decide NOT to open the required port 497 in ipfw, even though I had answered yes to the installer dialog (step 1 above) the first time around. Not opening the port would certainly be a sensible reaction to my inadvertent request that access be denied. In fact, your installer script might have actively closed port 497 at that point. Then, when I later used System Preferences to manually list and allow incoming access to pitond, System Preferences dutifully did so -- BUT it had no way to know that it should ALSO now open the required port 497 using ipfw. Since port 497 was at this point presumably still closed, my server couldn't see my client even though System Preferences seemed to be saying that access was allowed.

 

If I'm right about this, then indeed uninstalling and reinstalling Retrospect Client is currently the only way to get Client to work if anybody else makes the same mistake I did during initial installation (clicking Deny instead of Allow in the system alert). This suggests that you should add a new feature for the next version of Retrospect Client: include an option to open or close the required port 497 in the Retrospect Client Preferences window (opening it by default), since Apple no longer gives us users a UI to do this.

 

This also points up a failing in the new Leopard firewall that lots of people are talking about: Apple hasn't yet adequately documented the fact that ipfw is still there, and that sometimes ipfw still needs to be used to open special ports that the new Leopard firewall doesn't touch.

 

Thanks for your help. Retrospect has always been a great product, and I've used it on my home network for many, many years. I'm using Time Machine now, too, experimentally, and so far it isn't at all clear to me that Time Machine will be an adequate replacement for Retrospect.

Link to comment
Share on other sites

Quote:

This suggests that you should add a new feature for the next version of Retrospect Client: include an option to open or close the required port 497 in the Retrospect Client Preferences window (opening it by default), since Apple no longer gives us users a UI to do this.

 


 

I disagree that developers should be expected to provide a front end to the traffic shaper control program that's part of OS X. Apple should be called upon to return the interface to ipfw, not excused for taking it away in Leopard.

 

 

Dave

Link to comment
Share on other sites

I agree that Apple should restore the GUI to open and close ports generally in Leopard.

 

But I have always thought that individual applications that rely on specific ports should include the ability to open and close them. The old Apple firewall GUI was totally mysterious to most users, and it was very hard to find out what ports were required by which applications if you weren't an Internet expert. Putting a checkbox for the port that Retrospect Client needs into Client's preferences is just plain common sense, in my opinion, and it would overcome some of the mystery for typical users. Ditto for any other application that requires specific ports. And it would certainly be a benefit to EMC/Dantz, even if it eliminated only a handful of customer complaints.

Link to comment
Share on other sites

I'm seeing something similar. I started with a 10.4.10 system with no FW on, but the 6.1.130 client on. I updated this to 10.5 then set the firewall to "set access for specific services and applications" and added the Retrospect Client app.

 

Then, after updating to 10.5.1, the firewall prompt at start up started asking for "pitond".

 

I've since removed the *app* from the Firewall GUI and have now left only "pitond".

 

But this doesn't seem right, does it? Should I just remove "pitond" and uninstall/reinstall the Client to get this where it should be?

 

- Steve

Link to comment
Share on other sites

So, Robyn...

 

What's the official word here under 10.5.1?

 

1) Leave "pitond" (which works) in the firewall GUI when prompted about it? (Leaving the app does *not* work...)

 

2) uninstall/reinstall the client?

 

3) Wait for an updated client installer (would be best) that will deal with 10.5.x properly?

 

Thanks!

Link to comment
Share on other sites

You should be adding the Retrospect client to the exception list.

 

We are reviewing the recent changes by Apple to see if we can reproduce the dialog for pitond (I have never seen it).

 

I have never had a problem with the firewall, it seems to always allow Retrospect Client traffic for me.

Link to comment
Share on other sites

OK -- here's what I seem to be able to reproduce (if it helps...)

 

Started with a 10.4.10 machine with no firewall on.

 

Updated this to 10.5 -- set the firewall to "allow specific services" and added the Client app. Worked at that point to backup through the firewall.

 

Updated to 10.5.1 (in all honesty, can't remember if this was the "combo" or the "software update" version of 10.5.1 now...)-- got the prompts about "pitond" when I'd start up the computer. Computer would not be seen by the backup server until I allowed "pitond" to be added.

 

I reran the 6.1.30 client installer and *uninstalled* the client. This removed all traces of Retrospect stuff from the firewall GUI.

 

Rebooted.

 

Reran the client installer. Added a password. Said yes to the client installer prompt about the firewall and left the client installer at the "quit/restart" dialog. *At this point* the OS prompt comes up about allowing "pitond".

 

I didn't touch anything (as I was composing this message). I look back at that mac and that dialog box about "pitond" has gone away.

 

*Without restarting yet* -- the firewall GUI shows both the Retrospect client app *and* pitond. "pitond" is -- at this point -- "blocking incoming connections" (because I'm guessing the OS will automatically add things to the firewall GUI in a default "deny" posture if you don't "allow" it...)

 

I restart (from the button on the client installer). Upon reboot, both the Retrospect client and pitond are in the firewall GUI. Retrospect app -- allow, "pitond" -- block.

 

At this point -- I can do the exact same steps above: Uninstall client -- retro gone from the GUI. Reinstall client -- App and pitond are in the GUI... (however, if I click "allow" when the OS asks about the firewall, "pitond" is still blocked! -- which is odd...)

 

 

To me, this is reproducable...

Link to comment
Share on other sites

A lot of testing here, but I'm concerned that too many variables are still in play.

 

For example:

 

> Started with a 10.4.10 machine with no firewall on.

 

Was this a clean install, or at least a clean enough test bed to start with?

 

> I reran the 6.1.30 client installer and *uninstalled* the client. This removed all traces of

> Retrospect stuff from the firewall GUI.

 

Now we've introduced the behavior of the Retrospect OS Client installer script into the testing.

 

The client package includes a binary named "firewallcon2" which is probably used to configure ipfw. Usage for that program is:

Usage: %s [-v] -status|reset|add|remove|enable|disable|edit|noedit

 

I would _assume_ that uninstalling the client with the installer would reset ipfw, but I haven't tested it.

 

> *Without restarting yet* -- the firewall GUI shows both the Retrospect client app *and* pitond. "pitond"

>is -- at this point -- "blocking incoming connections"

 

You don't state here what the GUI shows for the Retrospect client app; is it blocking or allowing?

 

> At this point -- I can do the exact same steps above...

 

If you do, can you get the client to be accessible by a machine running Retrospect?

 

> To me, this is reproducable...

 

I believe you, but I generally find that steps-to-reproduce are the clearest for readers (and engineers!) when each step is on its own line in chronological order.

Link to comment
Share on other sites

Rather than copy/paste (as I'm at home):

 

10.4.10 build was a semi-clean test bed. It's my 10.4.10 load set that I distribute to other machines here so there is other software on it, but it was originally built at 10.4.0 (not an upgrade from any 10.3 set...) And, most assuredly, it had whatever Retrospect client was available at the 10.4.0 time frame and had that client updated through all subsequent versions until 6.1.130.

 

After installing the client, the GUI is *allowing connections* for the Retrospect Client application.

 

 

I can only get the client to be accessible by *allowing connections* for "pitond". If "pitond" is blocking (or not in the GUI), then Retrospect can not see this client -- regardless if the Retrospect Client application is blocking or allowing. Unless, of course, I turn off the firewall.

 

To reiterate: This is new behavior with 10.5.1. With 10.5.0, I could have the Retrospect Client application allowing connections and I could add the clients to the server app. And this was just by adding the Client app to the GUI manually (rather than rerunning the client installer.)

 

If I were to guess, I believe the problem may be with the 10.5.1 "delta" update available through Software Update rather than the 100M "combo" update downloadable from Apple (or vice versa...)

Link to comment
Share on other sites

Quote:

If I were to guess, I believe the problem may be with the 10.5.1 "delta" update available through Software Update rather than the 100M "combo" update downloadable from Apple (or vice versa...)

 


 

As a .1 release, I don't believe the 10.5.1 updater has separate "delta" and "combo" updates. But for what it's worth, my problem occurred with the downloadable update, which I applied manually.

Link to comment
Share on other sites

Yes, there are differences in the 10.5.1 updates from what is downloadable via Software Update and what comes from apple.com

 

You can see this (off topic) by running Disk Utility and repair permissions -- the SU update version of 10.5.1 applied will show files needing to be repaired (that can't be), but the "combo" updater doesn't show these (this is starting with the same reference 10.5.0 system.)

Link to comment
Share on other sites

Here's another data point (if it helps or not):

 

intel mac running 10.4.11 -- firewall off -- 6.1.130 client.

 

in-place upgrade to 10.5.0

 

When booted into 10.5.0, I turn on the "set specific..." firewall and manually add the Retrospect Client application.

 

I then run Software update (QT and 10.5.1 there).

 

Reboot when done.

 

Two things of note:

 

1) Retrospect server app can now not see the client

 

2) *NO prompt* about "pitond"

 

 

I run Disk Utility Repair permissions. Because it's the 10.5.1 delta update, it's full of the "Warning: SUID file..." messages.

 

I reboot after that...

 

No pitond prompt.

 

But still not client access, either.

 

FWIW...

 

 

I'm fairly certain on my machine that's showing the "pitond" issue, I applied the 100M 10.5.1 download from apple.com as opposed to installing the 10.5.1 update via Software Update. If that also helps.

Link to comment
Share on other sites

Quote:

I believe the problem may be with the 10.5.1 "delta" update available through Software Update rather than the 100M "combo" update downloadable from Apple (or vice versa...)

 


 

I'm not sure what the problem here is.

 

We know that Apple made changes to the Leopard firewall with the 10.5.1 update. If those changes now require the explicit addition of the pitond process to be added to the list of what's allowed to communicate, then that would just be a new reality.

 

As long as there are known settings that work and can be documented, I don't see any issue.

 

 

Dave

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...