Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
On 12/09/2004 Mike Mestnik wrote:
> > i still didn't get the point. you claim, that the module doesn't
> > understand the -ports option?
> > or do you mean that ip_conntrack_ftp has problems with handling more
> > than one IP-addresses, as i have 2?
>
> Ohh wait, I could be wrong here. I guess it's only for nating that you
> need to care about direction??? The problem as I see it is that the PORT
> cmd is only expected to come from the client end. It ONLY dose. However
> when your mangeling you care wather it's inbound(DNAT) or outbound(SNAT).
> Would for an open port you care for the same reasons?
i don't use NAT by any meaning, as far as i know.
so the only goal i want to achieve, is to open the ports for my ftp
servers on ports 210, 215, 220, ... for _all_ traffic that could be
produced by valid connections.
> Yes, I think you need to have code for each case. You need to have code
> for firewalling a client and then some other code for the server. AFAICT
> only clients are handeled in the currrent code, not servers.
sorry, but why do i need to firewall a client. i'm talking about my ftp
server, and this one has installed a firewall. i don't get the point.
> > sorry for confusion, in firehol services have some configuration, and
> > thus you can only open/close configured services. simply using
> > portranges doesn't work.
>
> Lookes like a whishlist bug to me. I'd "dpkg --purge" it if I wasen't
> able to open ports with it.
as firehol is very smart and the non-common ftp ports are the only
exception, i'm quite happy with it.
bye
jonas
Reply to: