Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]

To: debian-firewall@lists.debian.org
Subject: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
From: Jonas Meurer <jonas@freesources.org>
Date: Sat, 11 Sep 2004 15:40:25 +0200
Message-id: <[🔎] 20040911134024.GG3499@resivo.mejo.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20040911125754.11651.qmail@web11903.mail.yahoo.com>
References: <[🔎] 20040911123148.GD3499@resivo.mejo.net> <[🔎] 20040911125754.11651.qmail@web11903.mail.yahoo.com>

On 11/09/2004 Mike Mestnik wrote:
> > no, i have 5 ftp servers running on 5 different ports. all these ports
> > need to be opened for ftp traffic.
> 
> Right, dose firehol even load ip_conntrack_ftp?  As you know, better then
> me, is that ports= is where you specify what ports are for FTP.  In
> firehol you would just open thoes ports as if thay where for ssh ot http.

the five different special ftp ports plus the default one (21) are the
same as i specify as ports= option at loading ip_conntrack_ftp. if you
asked for this ...
the problem is, that 210,215,etc don't have standard services, so i'm
not able to open them as services in firehol.conf.

> > i have
> > modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> > in /etc/firehol/firehol.conf, and that works quite well.
> 
> It might be worth looking into wather conntrack_ftp supports servers, last
> time I looked it only worked for SNATed clients.  It's only like 20 lines
> of code to make it work for all four cases (SNAT|DNAT)ed_(clients|server).
> 
> If you get lucky I might submit a patch for it, thought I wonder why it
> wasen't setup that way from day 1?

sorry, i didn't get what you want to explain. you're talking about
ip_conntrack_ftp sources, or about firehol sources?

and what do you mean with 'supports servers', you mean whether the
module accepts the ports option and uses it, or whether not?

> > the ftpserver run on ips, but these ips are also available through
> > dnsnames, and clients are intended to use these dnsnames, but i guess
> > you think dnsname based virtualhosts, what in my opinion doesn't work
> > for ftp at all, as it doesn't have the relevant name headers, as http
> > has.
> > 
> Your right.  However DNS(53/udp) is requiered for host names to work at
> all.  firehol might by default set this up for you.

that's clear. i have the dns port opened, like many other services that
run on the server, but in this threat i'm only talking about my ftp
ports, as they have to be opened manually. as i already mentioned
firehol doen't support port-related open/close, only service-related.

bye
 jonas

Reply to:

Follow-Ups:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

References:
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Jonas Meurer <jonas@freesources.org>
- Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by Date: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Previous by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Next by thread: Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
Index(es):
- Date
- Thread