Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: Jonas Meurer <jonas@freesources.org>, debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sat, 11 Sep 2004 05:57:54 -0700 (PDT)
Message-id: <[🔎] 20040911125754.11651.qmail@web11903.mail.yahoo.com>
In-reply-to: <[🔎] 20040911123148.GD3499@resivo.mejo.net>

--- Jonas Meurer <jonas@freesources.org> wrote:

> On 10/09/2004 Mike Mestnik wrote:
> > > anyway firehol doesn't allow to set user specific ports for service
> > > 'ftp', and therefore i have to open these ports manually.
> > 
> > ?user specific? You mean 20 (ftp-data) and not just 21 (ftp)? 
> Connection
> > tracking FTP should handel this, but only for your clients and not for
> any
> > servers you could be running.
> 
> no, i have 5 ftp servers running on 5 different ports. all these ports
> need to be opened for ftp traffic.
> 
Right, dose firehol even load ip_conntrack_ftp?  As you know, better then
me, is that ports= is where you specify what ports are for FTP.  In
firehol you would just open thoes ports as if thay where for ssh ot http.

> > Turn this on with a 'modprobe ip_conntrack_ftp' and if your doing nat
> > 'modprobe ip_nat_ftp'.  I add these into /etc/modules.
> 
> i have
> modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> in /etc/firehol/firehol.conf, and that works quite well.
> 
It might be worth looking into wather conntrack_ftp supports servers, last
time I looked it only worked for SNATed clients.  It's only like 20 lines
of code to make it work for all four cases (SNAT|DNAT)ed_(clients|server).

If you get lucky I might submit a patch for it, thought I wonder why it
wasen't setup that way from day 1?

> 
> > > so this means that i don't need to open udp ports for ftp ...
> > 
> > That depends, do you plan to use host names instead of IPs?  If yes
> then
> > you will need to let DNS(udp) throught, fireho might do this for you.
> 
> the ftpserver run on ips, but these ips are also available through
> dnsnames, and clients are intended to use these dnsnames, but i guess
> you think dnsname based virtualhosts, what in my opinion doesn't work
> for ftp at all, as it doesn't have the relevant name headers, as http
> has.
> 
Your right.  However DNS(53/udp) is requiered for host names to work at
all.  firehol might by default set this up for you.

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread