Re: [Raspberry Shake Community Forum] Firewalls for schools often restrict traffic

[Branden Christensen]

Hi all:

In the Australian schools is UDP port 123 open? We would expect so as most modern Windows systems use NTP over 123 to set the computer time ...

Yours, Branden

[AuSIS]

Hi Branden

I would doubt it, the only traffic they allow is usually internet browsing (port 80 which is also restricted to prevent browsing on certain websites) and state department of education traffic. We spent a lot of time getting firewalls for UDP traffic opened on a specific port to a specific IP address and it is a weakness as every time there is a rejig of the IT system at a school we are vulnerable to the firewall being closed on us. For our public schools each state has different contact and rules and for independent and private schools they all have their own rules as well which would make any large roll out a burden on our very limited staffing (and one state has basically told us that it won't make any changes). Our program is run on a shoestring utilising volunteers so that the money can mostly be put into instruments. 

I can make an enquiry about which outgoing ports are available in each state but this won't cover all the schools who have applied for our program. I also plan to put the raspberry shake we bought to test into a school locally to see how it goes. We are currently looking at the possibility of doing a bit of reprogramming to send the data to us instead we run seiscomp3  currently so this may be an option we could then send it on to the raspberry shake community. This ultimately might be easier for us.

Anyway we are at the early stages of looking at the raspberry shake as an option so I am trying to get all the information of what is possible.

Cheers

Michelle

[Branden Christensen]

Hi Michelle:

I would doubt it, the only traffic they allow is usually internet browsing (port 80 which is also restricted to prevent browsing on certain websites) and state department of education traffic. We spent a lot of time getting firewalls for UDP traffic opened on a specific port to a specific IP address and it is a weakness as every time there is a rejig of the IT system at a school we are vulnerable to the firewall being closed on us. For our public schools each state has different contact and rules and for independent and private schools they all have their own rules as well which would make any large roll out a burden on our very limited staffing (and one state has basically told us that it won't make any changes). Our program is run on a shoestring utilising volunteers so that the money can mostly be put into instruments. 

Yikes, under those conditions I am not sure any IoT seismograph, no matter how clever, would be able to communicate with a community cloud service similar to Raspberry Shake's. And it is a shame too because we are going to be rolling out more and more services this year. People continue buying Shakes and we are super motivated to really build up the cloud services on offer to help everyone make the absolute most of theirs, for hobby, education or anything else.

I am all ears to possible solutions. Looks like a steep climb, but we will figure something out.

Keep in mind that Raspberry Shake was in fact designed so that it does not require any Internet connection: See http://manual.raspberryshake.org/no-network.html for details. Swarm and everything will work locally. 

I can make an enquiry about which outgoing ports are available in each state but this won't cover all the schools who have applied for our program.

Good, I am eager to hear what feedback you get. Maybe send this this: http://manual.raspberryshake.org/firewallIssues.html.  

I also plan to put the raspberry shake we bought to test into a school locally to see how it goes. We are currently looking at the possibility of doing a bit of reprogramming to send the data to us instead we run seiscomp3  currently so this may be an option we could then send it on to the raspberry shake community. This ultimately might be easier for us.

Anyway we are at the early stages of looking at the raspberry shake as an option so I am trying to get all the information of what is possible.

Well, consider us at your service. I have never been to Australia. Sure is a pleasure working with you remotely though.  

Branden

[chris...@aol.com]

Hi Michelle, 

    OK, there are school firewall connection issues - SO, how do you solve the problem for your 47 existing triaxial Guralp CMG-6TD seismometers, please ? 

    Regards, 

    Chris Chapman

From: AuSIS <michell...@gmail.com>
To: RaspberryShake <raspber...@googlegroups.com>
Sent: Wed, Jan 18, 2017 11:07 pm
Subject: [Raspberry Shake Community Forum] Firewalls for schools often restrict traffic

Hi I run the Australian seismometers in schools network and we have just received our raspberry shake which we have just started testing for use in schools around Australia. We already have 47 professional seismometers in schools around Australia so know a lot of the pitfalls. 

I am pleased to see that the user can look at the data locally but using ports 55555 and 55556 will likely mean that schools in Australia will not connect to the raspberry shake network, which is what we would really like to be able to do. We have had to deal with putting holes in firewalls for our existing instruments and this is not easy as schools and states have different ways of dealing with this. The firewalls at schools are very restrictive these days but the use of port 80 may mean a higher connection rate.

Cheers

Michelle Salmon

==========================================

Dr Michelle Salmon

AuSIS Coordinator

Research School of Earth Sciences

ANU College of Physical and Mathematical Sciences

The Australian National University

Australia

CRICOS Provider # 00120C

==========================================

--
Some useful links:
 
Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
---
You received this message because you are subscribed to the Google Groups "RaspberryShake" group.
To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshak...@googlegroups.com.
To post to this group, send email to raspber...@googlegroups.com.
Visit this group at https://groups.google.com/group/raspberryshake.
To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/7e983695-d4b9-46d0-ad0c-52eb43e50e63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mercalli]

Maybe it would be easier to not use the school network. Is there a sympathetic business or neighbor in proximity that would let you connect the Raspberryshake (and nothing else) through their network? The amount of data transfered is negligible. Is administrative approval is required to go this route?

[Ben Orchard]

Just tested it in a school in Victoria (Australia) and it was open.

As Michelle states, it will vary, but in a sample case of one.... UDP port 123 is open.

Cheers.

[David J Taylor]

Just tested it in a school in Victoria (Australia) and it was open.

As Michelle states, it will vary, but in a sample case of one.... UDP port
123 is open.

Cheers.

==========================================

Administrators are unlikely to be happy if you interfere with system
timekeeping. Firewall or router hardware could well want to use UDP/123. I
don't know about TCP/123.

Can't you use 80/TCP?

Cheers,
David
--
SatSignal Software - Quality software written to your requirements
Web: http://www.satsignal.eu
Email: david-...@blueyonder.co.uk
Twitter: @gm8arv

[Branden Christensen]

Hi David:

Good day!

Raspberry Shake does not interfere with system timekeeping. UDP/123 is reserved internationally by all system for NTP. No one would use this port for anything else. 123 is to NTP what 80 is to http and 443 is to https and 22 is to SSH, etc. 

Yours, 

Branden Christensen

Director, OSOP

USA: +1-206-414-1288; Panamá: +507-6747-1427

Get yours now! Visit shop.raspberryshake.org

--
Some useful links:

Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
--- You received this message because you are subscribed to the Google Groups "RaspberryShake" group.

To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshake+unsubscribe@googlegroups.com.

To post to this group, send email to raspber...@googlegroups.com.
Visit this group at https://groups.google.com/group/raspberryshake.

To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/E0242AC061754B8AB05A3D1C03812826%40Alta.

[David J Taylor]

Hi David:

Good day!

Raspberry Shake does not interfere with system timekeeping. UDP/123 is
reserved internationally by all system for NTP. No one would use this port
for anything else. 123 is to NTP what 80 is to http and 443 is to https and
22 is to SSH, etc.

Yours,
Branden Christensen

====================================

Thanks, Branden. Yes, I appreciate that, but I was getting the impression
that someone was suggesting that the port be used for other purposes. I
must have misheard that!

[Angel Rodriguez]

HI Dave,

I think we were saying that we need port 123 open to UDP packets for Shake to work,  We also need two other high not commonly used ports for the data and non-data information.  We technically can use port 80 and 443.  Doing that might violate the spirit or agreements that schools have with the IT departments.  We are working on it.

Angel

Shake forum on google.groupsSome useful links:

 
Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself

--
Some useful links:

Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
--- You received this message because you are subscribed to the Google Groups "RaspberryShake" group.
To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshake+unsubscribe@googlegroups.com.
To post to this group, send email to raspber...@googlegroups.com.
Visit this group at https://groups.google.com/group/raspberryshake.

To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/C5506618F7E3401EA498A2472425D8BE%40Alta.

[David J Taylor]

HI Dave,

I think we were saying that we need port 123 open to UDP packets for Shake
to work, We also need two other high not commonly used ports for the data
and non-data information. We technically can use port 80 and 443. Doing
that might violate the spirit or agreements that schools have with the IT
departments. We are working on it.

Angel

=====================================

OK, but if NTP is running on the RShake it will be using port 123/UDP, so
that port may not be available to other software.

Mind you, you can run more than one Web browser on a PC, and they will both
use port 80, but that's TCP where a connection needs to be made.

Perhaps it's different for outbound packets, and the problem only arises
where a program grabs a port to listen for incoming requests. Excuse me
thinking aloud!

[Branden Christensen]

Hi Dave: 

OK, but if NTP is running on the RShake it will be using port 123/UDP, so that port may not be available to other software.

Mind you, you can run more than one Web browser on a PC, and they will both use port 80, but that's TCP where a connection needs to be made.

Perhaps it's different for outbound packets, and the problem only arises where a program grabs a port to listen for incoming requests.  Excuse me thinking aloud!

In networking, the problems you foresee are solved by the requirement for unique IP:Port combinations. For an NTP server, for example, so long as the IP is unique for every IP:Port connection, any number of machines can connect to the NTP server on 123. At OSOP we have hundreds of things - computers, Raspberry Shakes and servers - all connecting to NTP on 123. Since each of the connections is a unique IP:Port combination, there is no problem.

Yours, 

Branden

[David J Taylor]

Hi Dave:
[]

In networking, the problems you foresee are solved by the requirement for
unique IP:Port combinations. For an NTP server, for example, so long as the
IP is unique for every IP:Port connection, any number of machines can
connect to the NTP server on 123. At OSOP we have hundreds of things -
computers, Raspberry Shakes and servers - all connecting to NTP on 123.
Since each of the connections is a unique IP:Port combination, there is no
problem.

Yours,
Branden

================================

Yes, I also run a lot on NTP servers here, and have seen no problems, but it
I try to run a second server program on a box already running standard NTP I
would get the message that the port is already occupied by the NTP program.

If the suggestion is that RShake also tries to act as a server on port
123/UDP, I believe that will fail. But, as I said, perhaps I misunderstood
the suggestion!

[Richard]

Hello,

To clear up any confusion, the Raspberry Shake does not require direct use of port 123, it requires NTP be running so that the timing will be accurate.  NTP requires port 123 be open for UDP traffic.  At no time does the Raspberry Shake make use of port 123 itself.

At the moment, the only non-standard ports required for data transfer from the shake to the server are TCP 55555 and 55556.

cheers,

richard

[F5HNK Patrick]

Hi Shakers,

I am dealing with these networking issues at work, I can put my 2 cents on this topic...

Well, in fairly organized companies or universities (in terms of Internet security), there are NO open ports to the Internet, even though one can surf on the Internet from the company computers...

Access to HTTP and HTTPS URLs over the Internet is granted through a proxy server installed at the edge of the company network, the proxy server has access to the Internet and behaves as a connection relay.

The proxy server is then able (depending on its technology level) to :

- log every single request to the Internet (i.e. what internal IP address accessed to what Internet URL), 

- block the access to spedcific URLs based on a black list of IP addresses,

- analyse on the fly the content of the HTTP data stream looking for malware activity.

These features are providing some protection against Internet threats and also Internet access logging for later analysis in case of problems.

Last point, the company computers are not usually synchronizing their real-time clock directly from Internet time servers, but from a trusted internal NTP server...

Concerning the  RPi Shake network, there are common issues generated by the use of this company/university network :

1/ Connecting the RPi Shake would not allow data forwarding as TCP ports 55555 and 55556 are not standard WEB ports -and as such- not handled by the company proxy. The use of port 80 or 443 (HTTP and HTTPS) would not help much as the RPi should be able to direct the connexion to the proxy and not directly to the OSOP server (I believe the use of proxy it is not possible as of today in the shake firmware). More, depending on the proxy security features, the data stream from the RPi shake would likely be blocked by the proxy as the content is not plain WEB data and can be suspected to be generated by some spyware/malware...

Also, the RPi shake would no get NTP synchronisation from the Internet (unless one can configure RPi to use company internal trusted NTP server.

2/ On the other hand, accessing to the StationView and EQView WEB pages from the company/university network is not fully functional as the fancy GEMPA application initiates a TCP 18081 connection to get RPi stations information (the map and RPi triangles are properly displayed though).

I would say that point 1/ shouldn't be a real problem, but it needs some arrangement in the company/university to get an Internet connection at the right place (basement) with the proper TCP ports open. Usually, the company/university provide dedicated network access with specific firewall rules for instruments of the kind.

Point 2/ is a bit more of a problem to me, as the Shakers are entitled to have a look at their favorite StationView page from their desktop and expect full fonctionality... This can probably be addressed by Gempa by means of a standard port if it is considered a problem.

I believe that most of the RPi Shakes are/will be connected to home Internet routers and OSOP already designed the shake network architecture to comply with that kind of Internet access (i.e. the shake is just an Internet client, and doesn't need a static public IP address nor ingress connection from the Internet to the RPi shake). This is smart.

Another pragmatic solution to make the RPi shake run from the company/university basement (or outside shelter) is to install an ADSL line and "home" router at the right place, is does not interfere with the company/university networks and as such can be seen as a safe solution (in addition to be an adequate solution with respect to the shake architecture).

Hope this helps,

Patrick

[Branden Christensen]

Thanks Patrick!

I can tell that email took a good long time to draft. It is full of good details. I really appreciate your note and will forward it on to our software development team and partners.

Have a great weekend, Branden

--

Some useful links:
 
Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
---
You received this message because you are subscribed to the Google Groups "RaspberryShake" group.
To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshake+unsubscribe@googlegroups.com.

To post to this group, send email to raspberryshake@googlegroups.com.

Visit this group at https://groups.google.com/group/raspberryshake.

To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/324461a8-c8ce-4211-a930-cb642ee27750%40googlegroups.com.

[Angel Rodriguez]

Patick,

What a great overview.  It has saved us a lot of work!  I  appreciate it.

Angel

Shake forum on google.groupsSome useful links:

 
Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself

--

Some useful links:
 
Manual: http://manual.raspberryshake.org/
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/
Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
---
You received this message because you are subscribed to the Google Groups "RaspberryShake" group.
To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshake+unsubscribe@googlegroups.com.
To post to this group, send email to raspberryshake@googlegroups.com.
Visit this group at https://groups.google.com/group/raspberryshake.

[AuSIS]

Hi Chris

We have to negotiate firewall exceptions at each individual school and this is the biggest single weakness in our network. One state has refused to work with us so we can only install in independent schools in that state. 

Cheers

Michelle

[chris...@aol.com]

Hi Michelle, 

    Thank you for the information. Did you have to separately negotiate the installations in all the 47 schools, please ?  

    Can't you install a RShake in a school without connecting it to the internal school network ? Have you considered asking a parent to install the RShake in their house and get that pupil to bring in a daily copy of the current signals on a Memory Card ? 

    Are there any other 'Alternative solutions' ? Like getting the parents at a school to lobby their state politicians for better scientific access for their pupils ? They are supposed to represent the interests of their constituents ! 

    Regards, 

    Chris   

To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/69ee5f7b-278b-4bfb-8b88-2555d8afb15d%40googlegroups.com.

[AuSIS]

Sorry Chris have been away for a few weeks.

1. Yes essentially we had to negotiate firewall exceptions for all 40 of our instruments although NSW came to the party and and run the software centrally so for public schools there we had a simplified proceedure.

2. we could run the seismometer without connecting to the internal schools network but then the data will be isolated, if we use a single school pupils house to install it there will not be a live feed and the students (with the exception of the one) will not have a sense of ownership of the instrument. 

3. The firewalls are there to protect the students so I am not sure how much lobbying will do. We did go through the political route with one state and the results were not great.

Our program is meant to be inclusive as we can't buy seismometers for every school in Australia we want schools to be able to access their nearest site. We are working on a way around these issues and I will be getting a school to test the instrument we have shortly.

Cheers

Michelle

[paul denton]

Joining this discussion a bit late , I have just tried to test my raspberryshake at Leicester university in preparation for test deployment in local school, firewall issues are an issue ( as yet unresolved despite best efforts of Seisuk seismologists and 2 x deprtamental computing officers... not looking hopeful for school use.

Note we also have problems in the uk using Jamaseis networking in schools ... similar issues to Ausis with different systems in each school.

At one point in the past ( before the raspberry pi was invented) we tried setting up a system that would allow data export from schools using a purely http port 80 option. The theory was to run a lightweight application locally which simply created miniseed blocks, these miniseed blocks were then sent as files to a remote web server as http post packets ( all on port 80) the remote web server just ran a simple web form that accepted data uploads (with password protection ) We Would then run ringserver on the remote computer to have a seedlink stream for onwards data manipulation. I suspect that this might fall foul of sophisticated proxy systems that inspect each data packet for content, however I don't see why a miniseed data file should look any different to a binary image file uploaded to a. Website ? We never got around to testing this system in real schools as student doing the work moved on and Jamaseis networking got better. Maybe we will try resurrecting it ... I have all the code somewhere if anyone wants to look over it (all python )
Paul denton

[chris...@aol.com]

Hi Paul, 

    What are the stated problems, please ? Why are they there ? What evidence is there that those 

restrictions are necessary ? Have you tried complaining to your Members of Parliament about these restrictions on pupil's scientific educational opportunities ? (When all else fails - organise a few 

hundred parents to complain to their politicians - nationwide ! And get them to DO something about it.)

    Maybe try 'thinking outside the box' to BYPASS the schools' Firewall Communication Problems ? 

    1 Provide a separate extension on the school's phone line which does NOT go through such a 

restrictive firewall - the seismometer computer is NOT connected to the school's internal network. 

    2 Use an audio band signal to report data - maybe use frequency shift keying ? This might be too 

slow. 

    3 Provide a separate dedicated phone line for the seismometer - maybe use a personal phone ? 

    4 CUT OUT the school system entirely ! DO NOT connect the seismometer to the school's 

internal system. Have either a teacher or student(s) carry extracted seismic signals / the daily 

record on a memory chip and pass on the data to a central collection point with their own private 

computers. OK, the data will be 1 day late, but so what ? Is there ANY requirement for the school 

system to run 'in real time' ? 

    Regards, 

    Chris

 
From: paul denton <paul.in....@gmail.com>
To: RaspberryShake <raspber...@googlegroups.com>
Sent: Sat, Apr 1, 2017 10:57 am
Subject: [RShake Forum] Re: [Raspberry Shake Community Forum] Firewalls for schools often restrict traffic

    Joining this discussion a bit late , I have just tried to test my RaspberryShake at Leicester University in preparation for test deployment in local school, firewall issues are an issue (as yet unresolved despite best efforts of Seisuk seismologists and 2 x departmental computing officers... not looking hopeful for school use.

    Note we also have problems in the UK using Jamaseis networking in schools ... similar issues to Ausis with different systems in each school.

    At one point in the past (before the Raspberry Pi was invented) we tried setting up a system that would allow data export from schools using a purely http port 80 option. The theory was to run a lightweight application locally which simply created miniseed blocks, these miniseed blocks were then sent as files to 

a remote web server as http post packets (all on port 80) the remote web server just ran a simple web form that accepted data uploads (with password protection). We Would then run ringserver on the remote computer to have a seedlink stream for onwards data manipulation. I suspect that this might fall foul of sophisticated proxy systems that inspect each data packet for content, however I don't see why a miniseed data file should look any different to a binary image file uploaded to a. Website ? We never got around to testing this system in real schools as student doing the work moved on and Jamaseis networking got better. Maybe we will try resurrecting it ... I have all the code somewhere if anyone wants to look over it - 

(all python)

Paul Denton

--
Some useful links:

Manual: http://manual.raspberryshake.org/

Do It YourSelf Page: http://raspberryshake.org/do-it-yourself
Shop: https://shop.raspberryshake.org/
Website: http://raspberryshake.org/

Instagram: https://www.instagram.com/raspberryshake/
Hashtag: #rasperryshake

---
You received this message because you are subscribed to the Google Groups "RaspberryShake" group.
To unsubscribe from this group and stop receiving emails from it, send an email to raspberryshak...@googlegroups.com.
To post to this group, send email to raspber...@googlegroups.com.
Visit this group at https://groups.google.com/group/raspberryshake.

To view this discussion on the web visit https://groups.google.com/d/msgid/raspberryshake/9268d179-5d36-441b-8a52-de7935eaf5f7%40googlegroups.com.