Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]
--- Jonas Meurer <jonas@freesources.org> wrote:
> On 11/09/2004 Mike Mestnik wrote:
> > > no, i have 5 ftp servers running on 5 different ports. all these
> ports
> > > need to be opened for ftp traffic.
> >
> > Right, dose firehol even load ip_conntrack_ftp? As you know, better
> then
> > me, is that ports= is where you specify what ports are for FTP. In
> > firehol you would just open thoes ports as if thay where for ssh ot
> http.
>
> the five different special ftp ports plus the default one (21) are the
> same as i specify as ports= option at loading ip_conntrack_ftp. if you
> asked for this ...
> the problem is, that 210,215,etc don't have standard services, so i'm
> not able to open them as services in firehol.conf.
>
/etc/service? This file lists the service names, I bet firehol will
accept both names and numbers.
> > > i have
> > > modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> > > in /etc/firehol/firehol.conf, and that works quite well.
> >
> > It might be worth looking into wather conntrack_ftp supports servers,
> last
> > time I looked it only worked for SNATed clients. It's only like 20
> lines
> > of code to make it work for all four cases
> (SNAT|DNAT)ed_(clients|server).
> >
> > If you get lucky I might submit a patch for it, thought I wonder why
> it
> > wasen't setup that way from day 1?
>
> sorry, i didn't get what you want to explain. you're talking about
> ip_conntrack_ftp sources, or about firehol sources?
>
Kernel sources ip_conntrack_ftp. You should also need to specify the
ports param to ip_nat_ftp, if your doing NAT.
> and what do you mean with 'supports servers', you mean whether the
> module accepts the ports option and uses it, or whether not?
>
Quote from the source ip_conntrack_ftp.c:51...
{
IP_CT_DIR_ORIGINAL,
"PORT", sizeof("PORT") - 1, ' ', '\r',
IP_CT_FTP_PORT,
try_rfc959,
},
{
IP_CT_DIR_REPLY,
"227 ", sizeof("227 ") - 1, '(', ')',
IP_CT_FTP_PASV,
try_rfc959,
},
{
IP_CT_DIR_ORIGINAL,
"EPRT", sizeof("EPRT") - 1, ' ', '\r',
IP_CT_FTP_EPRT,
try_eprt,
},
{
IP_CT_DIR_REPLY,
"229 ", sizeof("229 ") - 1, '(', ')',
IP_CT_FTP_EPSV,
try_epsv_response,
},
That's it That's all. This will need to be expaneded to include searchs
for all four of these in the SERVER direction, with the DIR_REPLY and
DIR_ORIGINAL swaped. After that the code to support, do something usefull
with, these new searchs will need to be added.
> > > the ftpserver run on ips, but these ips are also available through
> > > dnsnames, and clients are intended to use these dnsnames, but i
> guess
> > > you think dnsname based virtualhosts, what in my opinion doesn't
> work
> > > for ftp at all, as it doesn't have the relevant name headers, as
> http
> > > has.
> > >
> > Your right. However DNS(53/udp) is requiered for host names to work
> at
> > all. firehol might by default set this up for you.
>
> that's clear. i have the dns port opened, like many other services that
> run on the server, but in this threat i'm only talking about my ftp
> ports, as they have to be opened manually. as i already mentioned
> firehol doen't support port-related open/close, only service-related.
>
I realy don't think this tobe the case, as services are only open ports.
Are you talking about client VS server, meaning that service-related ==
client and port-related == server?
> bye
> jonas
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
Reply to: