Why does rclone sync cause incoming connections?

What is the problem you are having with rclone?

I regularly run rclone sync on a Raspberry Pi to sync some local files with Backblaze B2. When rclone is running, the kernel logs show ufw firewall blocked several incoming packets. These originate from Backblaze-owned IPs. The Pi is behind a router which has a firewall -- so it shouldn't be receiving any incoming packets at all.

My questions are:

1. It looks like Backblaze is trying to connect to the Pi - why is this happening? I had assumed rclone only involved outgoing connections.
2. Why do the packets get through the router firewall, to the Pi?

I don't appear to get any ufw block messages when rclone is not running. So it is somehow rclone-related -- even if it is ultimately a network configuration issue of some kind.

Further details:

• here is the kernel log when rclone was running:

Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20792 DF PROTO=TCP SPT=443 DPT=42744 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20793 DF PROTO=TCP SPT=443 DPT=42744 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=42738 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=42738 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20320 DF PROTO=TCP SPT=443 DPT=42736 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20321 DF PROTO=TCP SPT=443 DPT=42736 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=42742 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=42742 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20408 DF PROTO=TCP SPT=443 DPT=42740 WINDOW=0 RES=0x00 RST URGP=0
Jun 24 11:20:42 percival kernel: [UFW BLOCK] IN=eth0 OUT= MAC=dc:a6:32:00:e4:e5:40:0d:10:e4:31:f0:08:00 SRC=206.190.215.15 DST=192.168.0.102 LEN=40 TOS=0x08 PREC=0x20 TTL=50 ID=20409 DF PROTO=TCP SPT=443 DPT=42740 WINDOW=0 RES=0x00 RST URGP=0

• the connections originate from 206.190.215.15 (on port 443). This IP address redirects to Backblaze. At other times when rclone has run, other IPs have appeared in the logs
• the router is a standard home router from Virgin Media. The router firewall is enabled, there are no open ports, and UPnP is disabled.
• the ufw setup is straightforward:

pi@percival:~ $ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    192.168.0.0/24

What is your rclone version (output from rclone version)

rclone v1.50.2

• os/arch: linux/arm
• go version: go1.13.6

Which OS you are using and how many bits (eg Windows 7, 64 bit)

Raspbian 5.4.47-v7l+ armv7l

Which cloud storage system are you using? (eg Google Drive)

Backblaze B2

The command you were trying to run (eg rclone copy /tmp remote:tmp)

sudo rclone sync -vv /mnt/hdd0/backup b2-pi-encrypted:/backup_remote_copy

The rclone config contents with secrets removed.

[b2-pi-encrypted]
type = crypt
remote = b2-pi:XXXXXXX-backup-pi
filename_encryption = standard
directory_name_encryption = true
password = XXXXXXX
password2 = XXXXXXX

[b2-pi]
type = b2
account = XXXXXXX
key = XXXXXXX
hard_delete = true

A log from the command with the -vv flag

Forum stops me from including links - the log is at:
gist [dot] github [dot] com/mrankine/3ea21f3c08a59f29107aa7f0e1f06907
Note: Edited to obscure local filenames.

You make a connection to the remote via 443 and that is where traffic goes through. The remote will not
initiate a connection back in.

I'd doubt that is rclone, but you can always run a packet capture if you wanted to be 100% sure.

So the source address is 206.190.215.15 which is within Backblaze's 206.190.208.0/21 range

The source port is 443 meaning that this is very likely a reply to an outgoing connection to port 443 from rclone.

This is a RST packet which is closing the connection.

These packets can get sent after the TCP connection has closed so it is possible that the connection tracking has stopped tracking the connection when the RST packet comes in.

Increasing the connection tracking timeout would probably fix the problem. I can't remember which sysctl that is any more but a bit of googling should find it for you!

Thanks! That's really helpful, I'll investigate RST packets.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.