NETGEAR ReadyNAS

[vijibhanu]

I am using ReadyNAS Photos to share photos on my ReadyNAS Duo with friends and family.
I want to understand clearly how my ReadyNAS Duo is enabling this. That is, what server ports it is opening up etc., in order to make this work.

My ReadyNAS Duo sits behind a Linksys Wireless-G Broadband Router (WRT54G) and has a wired connection to it. The router is connected to the cable modem.
On the Port Range Forwarding page of the router’s administrative interface, the router is configured in such a way as to not allow incoming traffic on any port to any of the clients in the local network. Yet, ReadyNAS Photos is able to serve the photos to people outside the local LAN. Surely, it must be opening up some ports if the photos all reside locally on my ReadyNAS Duo and are served up from there. I can't see how it can work otherwise. However, this information seems to be deliberately obscured.

I looked in the log file (name photos.log) and found this:

<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Starting Dekoh Listener
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Using the default config file /usr/share/dekoh/Dekoh$/listener/dekoh.conf
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Listener will wait till the config file is available for read
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Resuming the Listener as the config file is available
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> ----------------Configuration--------------

<22:45:28, Sun Jan 11, 2009> <1256> < Warn> das.id : XXXXXXXXXXXXXXXXXXXXXXXXX
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> dekoh.presence.host : presence.readynasphotos.com
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> dekoh.presence.port : 80
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> perl.lib.locations :
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> log.level : 3
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> log.file.dirs : /var/log
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> time.between.connects : 30
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> strict.port : 0
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> default.mag.age : -1
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> command.version : 0.0
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> user.agent : Dekoh-Perl-Listener
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> no.of.channels : 2
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> test.port : 8081
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> proxy.config : /usr/share/dekoh/config/proxy.conf
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> connect.timeout : 180
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Device Model : ReadyNAS Duo
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Device Serial : 1VB183R9011F8
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Listener Version : 0.6.14
<22:45:28, Sun Jan 11, 2009> <1256> < Warn> Photos Version : 0.6.15
<22:45:28, Sun Jan 11, 2009> <1256> < Warn>

I have obscured the das.id in the above log as that is what is used to create the URLs that goes out to the album invitees (Another disconcerting thing is that when you invite a group of people, it seems to send the same URL to all the invitees. It is not using any parameter besides the das.id in the incoming request URL to do some type of authentication and differentiate each incoming request. This is a bad design for a server application)

Based on the logs, it is clear that it is first talking to a server application at presence.readynasphotos.com:80.
It is also listed port 8081 as a “test.port”. Is this the port that it is opening up in order to serve photo requests?
If so, how is it working given the fact that my router is not configured to let traffic on port 8081 enter the LAN from outside?


Can someone please clarify this? I don’t want to use some “black box” application without knowing exactly what it is doing underneath given the fact that it is running a server application that is serving requests from outside my home LAN.

Thanks,
Viji

[minerva]

Hello :

Let me address the security concerns first.

When you share photos with a set of friends, an invitation email is set to each of them. *Only* the recipients of this email will have access to these photos. No one else can access the photos you have shared.

I have obscured the das.id in the above log as that is what is used to create the URLs that goes out to the album invitees (Another disconcerting thing is that when you invite a group of people, it seems to send the same URL to all the invitees. It is not using any parameter besides the das.id in the incoming request URL to do some type of authentication and differentiate each incoming request. This is a bad design for a server application)

The visitor information is not figure in *visible* part of the HTTP request viz the URL. However, this does not mean it is not there. For every request to the shared photos, access controls are verified before granting access.

-minerva

[minerva]

Surely, it must be opening up some ports if the photos all reside locally on my ReadyNAS Duo and are served up from there.

ReadyNAS Photos does not open any ports on your ReadyNAS device. Only your ReadyNAS device has to be connected to the internet for the shared photos to be accessible.

The URL <username>.readynasphtos.com does not resolve to your ReadyNAS device. This URL resolves to readynasphotos network which maintains private communication with the ReadyNAS devices. This is similar to you are using skype, you do not have to open any ports.

-minerva

[vijibhanu]

The visitor information is not figure in *visible* part of the HTTP request viz the URL.

This is only half-true. When an email invite goes out to an invitee, the message contains something like this:

If you are having problems viewing this email, copy and paste the following into your browser:
http://dns-name/go/rd/YYYYYY. The latter, of course, does not have the das.id that I spoke of earlier.

However, upon clicking that link, it ends up being a redirect to the following URL:
http://dns-name/XXXXXX/readynas/showalbum.html followed by some query string parameters.
This URL is the same for ALL incoming invitees and the XXXX part is merely the das.id.
There is nothing in the aforementioned URL or in its query string parameters that allows ReadyNAS Photos to differentiate one invitee from the other. I have tested this by sending out invites to a few email addresses that I have.

Viji

[vijibhanu]

The URL <username>.readynasphtos.com does not resolve to your ReadyNAS device. This URL resolves to readynasphotos network which maintains private communication with the ReadyNAS devices. This is similar to you are using skype, you do not have to open any ports.

I figured out that http://<username>.readynasphtos.com does not resolve to my ReadyNAS Duo device and that it resolves to readynasphotos network. I did not imply that in my earlier email.

ReadyNAS Photos does not open any ports on your ReadyNAS device. Only your ReadyNAS device has to be connected to the internet for the shared photos to be accessible.

This is the part that is a little bit frustrating for me.
I have seen a couple of others make similar inquiries and I see the same response stating that ReadyNAS Photos does not open up any ports on the device.

I am an IT professional and I understand very well how server applications work. If it is not opening up any ports then how are the photos served up from the ReadyNAS Duo device? When the request from an invitee's browser for the URL http://<username>.readynasphotos.com/das.id/readynas/showalbum.html arrives at some application at the ReadyNAS network, then the latter has to ultimately request a photo from my ReadyNAS Duo device. This so called "private communication" between ReadyNAS network and my ReadyNAS Duo device does not happen magically, does it? It has to take place between specific end points on ReadyNAS netwrok and my ReadyNAS Duo device, namely, ports. What are those?

When I block trafffic on port 8081 which is listed in the photos.log file, then I found out that ReadyNAS Photos no longer works. My question was how is it able to open up port 8081 (or any other port for that matter) when my router is blocking all of that traffic.

Can you explain the architecture of the server application?

Thanks,
Viji

[minerva]

If you are having problems viewing this email, copy and paste the following into your browser:
http://dns-name/go/rd/YYYYYY. The latter, of course, does not have the das.id that I spoke of earlier.

The URL http://dns-name/go/rd/YYYYYY is different for every invitation that is sent out.

Like you observed, this URL redirects to the URL which has the das-id. But it also sets a cookie containing the user identity. So the subsequent URLs does not contain information about the visitor.

Hence visitor identity is readily available on every request, and the access control are performed before serving the content.

-minerva

[minerva]

Can you explain the architecture of the server application?

There is no server on the ReadyNAS Duo that *accepts* requests on any port. So even after blocking all the ports for incoming traffic ReadyNAS Photo works and the shared photos remain accessible.

However, outgoing communication on ports 80 and optionally 8081 on your ReadyNAS Duo should be allowed. If you block outgoing communication either on 80 or on 8081, the ReadyNAS Add photos has to be restarted, for the shared photos to be accessible.

Please ensure that you have 1.7 version of ReadyNAS Photos Add on installed.

-minerva

[vijibhanu]

The URL http://dns-name/go/rd/YYYYYY is different for every invitation that is sent out.

Like you observed, this URL redirects to the URL which has the das-id. But it also sets a cookie containing the user identity. So the subsequent URLs does not contain information about the visitor.

Hence visitor identity is readily available on every request, and the access control are performed before serving the content.

Thanks for clarifying that.

[vijibhanu]

Can you explain the architecture of the server application?

There is no server on the ReadyNAS Duo that *accepts* requests on any port. So even after blocking all the ports for incoming traffic ReadyNAS Photo works and the shared photos remain accessible.

However, outgoing communication on ports 80 and optionally 8081 on your ReadyNAS Duo should be allowed. If you block outgoing communication either on 80 or on 8081, the ReadyNAS Add photos has to be restarted, for the shared photos to be accessible.

Please ensure that you have 1.7 version of ReadyNAS Photos Add on installed.

-minerva

It seems like port 80 is not needed. I was able to get it working by blocking all traffic on port 80 but not 8081.
Perhaps, port 80 is needed when it makes the first handshake with the ReadyNAS network?

That is not the issue, however. You still have not answered my question about exactly how ReadyNAS Photos work.
When an album invitee's request arrives at the portal http://username.readynasphotos.com, how does the portal retrieve the actual photo file from the corresponding ReadyNAS Duo device? Is the "Dekoh Listener" that is started up on the ReadyNAS Duo device constantly polling the portal to check for user requests and push the requested file?

From the standpoint of security of my LAN, I need to understand how this thing is achieved for the simple reason that ReadyNAS network is communicating with an application on my device. Inquisitive users are entitled to know what types of "back doors" are opened up for this magic to work. You need to explain this a little bit better than merely asserting that it is all safe and secure and that it is using some "private communication" etc.

Thanks,
Viji

[minerva]

Is the "Dekoh Listener" that is started up on the ReadyNAS Duo device constantly polling the portal to check for user requests and push the requested file?

Yes, the addon polls.

-minerva

[halinab]

viewtopic.php?f=58&t=60473
apologies if this topic is too old but it seems to be what I am looking for.....
can anyone help me with my current issue with ReadyNAS Photos.....