On Gentoo systems the Rsync package is already installed, nothing to do here
Install stunnel
Not using tcpwrappers, or IP6.
emerge -pv rsync stunnel [ebuild R ] net-misc/rsync-2.6.9-r1 USE="-acl -ipv6 -static -xinetd" [ebuild N ] net-misc/stunnel-4.09-r1 USE="-ipv6 (-selinux) ssl -tcpd" emerge stunnel
Configure Rsync Server
This sample below exposes one rsync option, read only to the entire world. Configuration options should be tuned to the environment. Do not change hosts allow, this must be set to 127.0.0.1 for stunnel to work.
cat /etc/rsyncd.conf address = 127.0.0.1 uid = nobody gid = nobody pid file = /var/run/rsyncd.pid use chroot = yes read only = yes hosts allow = 127.0.0.1 max connections = 10 syslog facility = local2 timeout = 120 # Our portage mirror [edoceo-portage] comment = Edoceo Portage tree exclude = /distfiles /packages path = /usr/portage
Configure Stunnel
Create some Certs from your CA.
Notice the configuration is listening on the standard rsync port.
Add the following to /etc/stunnel/stunnel.conf.
[rsync] accept = 10.0.0.2:873 connect = 127.0.0.1:873
netstat -tanpu |grep 873 tcp 0 0 10.65.30.2:873 0.0.0.0:* LISTEN 14568/stunnel tcp 0 0 127.0.0.1:873 0.0.0.0:* LISTEN 14497/rsync
Connecting to Rsync over Stunnel
The client needs to connect like this:
[rsync] accept = 127.0.0.1:873 connect = rsync.domain.com:873
netstat -tanpu |grep 873 tcp 0 0 127.0.0.1:873 0.0.0.0:* LISTEN 11202/stunnel
Notes
Ensure that there is not firewall blocking. The machine will need access to the loopback interface, ensure iptables has a rule like the following.
iptables -A INPUT -i lo -j ACCEPT