Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 10/09/2004 Mike Mestnik wrote:
> > > anyway firehol doesn't allow to set user specific ports for service
> > > 'ftp', and therefore i have to open these ports manually.
> >
> > ?user specific? You mean 20 (ftp-data) and not just 21 (ftp)?
> Connection
> > tracking FTP should handel this, but only for your clients and not for
> any
> > servers you could be running.
>
> no, i have 5 ftp servers running on 5 different ports. all these ports
> need to be opened for ftp traffic.
>
Right, dose firehol even load ip_conntrack_ftp? As you know, better then
me, is that ports= is where you specify what ports are for FTP. In
firehol you would just open thoes ports as if thay where for ssh ot http.
> > Turn this on with a 'modprobe ip_conntrack_ftp' and if your doing nat
> > 'modprobe ip_nat_ftp'. I add these into /etc/modules.
>
> i have
> modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> in /etc/firehol/firehol.conf, and that works quite well.
>
It might be worth looking into wather conntrack_ftp supports servers, last
time I looked it only worked for SNATed clients. It's only like 20 lines
of code to make it work for all four cases (SNAT|DNAT)ed_(clients|server).
If you get lucky I might submit a patch for it, thought I wonder why it
wasen't setup that way from day 1?
>
> > > so this means that i don't need to open udp ports for ftp ...
> >
> > That depends, do you plan to use host names instead of IPs? If yes
> then
> > you will need to let DNS(udp) throught, fireho might do this for you.
>
> the ftpserver run on ips, but these ips are also available through
> dnsnames, and clients are intended to use these dnsnames, but i guess
> you think dnsname based virtualhosts, what in my opinion doesn't work
> for ftp at all, as it doesn't have the relevant name headers, as http
> has.
>
Your right. However DNS(53/udp) is requiered for host names to work at
all. firehol might by default set this up for you.
> bye
> jonas
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
Reply to: