[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: give multible ports a/o ips to iptables [fixed: problems with firehol...]



--- Jonas Meurer <jonas@freesources.org> wrote:

> On 11/09/2004 Mike Mestnik wrote:
> > > no, i have 5 ftp servers running on 5 different ports. all these
> ports
> > > need to be opened for ftp traffic.
> > 
> > Right, dose firehol even load ip_conntrack_ftp?  As you know, better
> then
> > me, is that ports= is where you specify what ports are for FTP.  In
> > firehol you would just open thoes ports as if thay where for ssh ot
> http.
> 
> the five different special ftp ports plus the default one (21) are the
> same as i specify as ports= option at loading ip_conntrack_ftp. if you
> asked for this ...
> the problem is, that 210,215,etc don't have standard services, so i'm
> not able to open them as services in firehol.conf.
> 
/etc/service?  This file lists the service names, I bet firehol will
accept both names and numbers.

> > > i have
> > > modprobe ip_conntrack_ftp ports=21,210,215,220,225,230
> > > in /etc/firehol/firehol.conf, and that works quite well.
> > 
> > It might be worth looking into wather conntrack_ftp supports servers,
> last
> > time I looked it only worked for SNATed clients.  It's only like 20
> lines
> > of code to make it work for all four cases
> (SNAT|DNAT)ed_(clients|server).
> > 
> > If you get lucky I might submit a patch for it, thought I wonder why
> it
> > wasen't setup that way from day 1?
> 
> sorry, i didn't get what you want to explain. you're talking about
> ip_conntrack_ftp sources, or about firehol sources?
> 
Kernel sources ip_conntrack_ftp.  You should also need to specify the
ports param to ip_nat_ftp, if your doing NAT.

> and what do you mean with 'supports servers', you mean whether the
> module accepts the ports option and uses it, or whether not?
> 
Quote from the source ip_conntrack_ftp.c:51...
        {
                IP_CT_DIR_ORIGINAL,
                "PORT", sizeof("PORT") - 1, ' ', '\r',
                IP_CT_FTP_PORT,
                try_rfc959,
        },
        {
                IP_CT_DIR_REPLY,
                "227 ", sizeof("227 ") - 1, '(', ')',
                IP_CT_FTP_PASV,
                try_rfc959,
        },
        {
                IP_CT_DIR_ORIGINAL,
                "EPRT", sizeof("EPRT") - 1, ' ', '\r',
                IP_CT_FTP_EPRT,
                try_eprt,
        },
        {
                IP_CT_DIR_REPLY,
                "229 ", sizeof("229 ") - 1, '(', ')',
                IP_CT_FTP_EPSV,
                try_epsv_response,
        },
That's it That's all.  This will need to be expaneded to include searchs
for all four of these in the SERVER direction, with the DIR_REPLY and
DIR_ORIGINAL swaped.  After that the code to support, do something usefull
with, these new searchs will need to be added.

> > > the ftpserver run on ips, but these ips are also available through
> > > dnsnames, and clients are intended to use these dnsnames, but i
> guess
> > > you think dnsname based virtualhosts, what in my opinion doesn't
> work
> > > for ftp at all, as it doesn't have the relevant name headers, as
> http
> > > has.
> > > 
> > Your right.  However DNS(53/udp) is requiered for host names to work
> at
> > all.  firehol might by default set this up for you.
> 
> that's clear. i have the dns port opened, like many other services that
> run on the server, but in this threat i'm only talking about my ftp
> ports, as they have to be opened manually. as i already mentioned
> firehol doen't support port-related open/close, only service-related.
> 
I realy don't think this tobe the case, as services are only open ports. 
Are you talking about client VS server, meaning that service-related ==
client and port-related == server?

> bye
>  jonas
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail



Reply to: